Network Execs Argue Against Government Regulation in Cybersecurity

Government regulation could hamper efforts to get ahead of innovative bad guys, argued a panel of network executive in a Congressional hearing this week.

"Anything you can write down as a best practice is already being done," Edward Amoroso, chief security officer of AT&T Services, told the House Energy and Commerce subcommittee on Communications and Technology. "The new things we're working on you don't know about."

The hearing was part of a response to a GOP cybersecurity task force that last year recommended Congress concentrate on targeted, easy-to-achieve legislation rather than a comprehensive cybersecurity bill. The task force also recommended that Congress avoid regulation in favor of incentives for voluntary cooperation, a sentiment that was echoed by the witnesses.

"More can and should be done, but carefully," said David Mahon, chief security officer for the Tier 1 backbone provider Century Link. The government should focus on enabling information sharing within industry and with government, without prescriptive regulations. "We and our peers already have the strongest commercial incentives to protect our networks," he said. "There is neither a lack of will nor a lack of commitment," but he said that private-sector efforts could be diverted by checklist requirements.

"Market forces are better suited to respond to constantly changing cyber threats," said John Olsen, CIO of MetroPCS Communications.

What industry needs are safe harbors from liability and public disclosure of threat and vulnerability information, together with greater access to and freedom to use government information, witnesses said.

The lone voice on the panel in favor of any security standards was Scott Totzke, senior vice president of Research In Motion's BlackBerry Security Group, who spoke in favor of baseline standards for vendors, with testing programs to validate vendor claims for the security of products. Although now being challenged by other products, RIM's BlackBerry has for years been the dominant mobile device in government.

"Greater adherence to security standards like FIPS [the Federal Information Processing Standards] would help customers better understand their personal and professional investments in protecting their information," Totzke said. "The assurance that the information is trusted and suitable for use by some of the most security-conscious organizations in the world is an essential cornerstone in developing trust and confidence."

Witnesses described a common set of security efforts being taken to secure their networks, with multiple layers of defenses. Comcast has taken an additional step by becoming the first large Internet service provider to implement the DNS Security Extensions to help protect the Domain Name System.

Comcast vice president for Internet systems engineering Jason Livingood said that the 2008 announcement of a critical vulnerability that would allow easy DNS poisoning "scared the heck out of us." The company began implementing DNSSEC to help it reach the critical mass needed for better security. "It will require adoption across the entire ecosystem," he said.

Despite market-based incentives to secure their networks and the current lack of government-mandated security, commercial networks still are falling behind in their efforts to defend themselves, however.

"We are being out-innovated by our adversaries," AT&T's Amoroso said. He described malware "so good, so well-crafted that we are amazed at how far our adversaries have come."

Amoroso said that any government regulation would stifle innovation needed to get out in front of the bad guys, and said that service providers should not be responsible for providing additional security for their customers. He also was doubtful of the value of DNSSEC, saying that cryptographic applications are "incredibly complicated to run," and that "complexity of the infrastructure is the biggest problem in cybersecurity."

He conceded that DNSSEC does have some benefits, but warned that unintended consequences of implementing the technology could make security worse.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

  • Exchange Server June Cumulative Updates Arrive, But with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.