Cybersecurity. Cyberwarfare. Cyber criminals. The words alone are unnerving and the issues they raise are challenging and deeply complex. I’ve been working in this area for a while now and I’m still amazed by its ever-changing landscape. Protecting our nation’s networks is critical and a top priority for network operators as well as regulators and lawmakers. But the entire Internet ecosystem – and that includes applications, devices and users – play integral roles in effective cybersecurity. Indeed, it takes a village.
At AT&T, cybersecurity is something we think about 24/7. So, I thought today that I would highlight recent comments we filed on the matter with both the National Telecommunications and Information Administration (NTIA) and the Federal Communications Commission (FCC). I’ll try not to get too far in the weeds but I want to draw attention to some important issues policymakers are grappling with and the potential effects they could have in this very sensitive area.
We agree with the cyber attack finding in this IBM report that the primary vulnerabilities occur at the software, application, device and user layers. And according to a study conducted by Verizon, 87% of data breaches were considered avoidable through the use of reasonable controls.
Cyber criminals are increasingly exploiting user carelessness and naïveté. One of the top ten security threat trends for 2010 identified by Symantec was the use of social engineering. Attackers are going directly after the end user and attempting to trick them into downloading malware or divulging sensitive information. And the challenges are complicated by the evolving nature of cyber threats.
Now, this is not to say that Internet service providers (ISPs) do not have a responsibility to guard against cyber attacks. We, as do most other ISPs, invest heavily in this area to ensure that our networks are robust and reliable.
AT&T takes an “in-the-cloud” approach to cybersecurity, monitoring traffic flows and attempting to thwart cyber threats at the network layer. But it’s important to understand that there is no foolproof solution to this problem.
For this reason, we have significant concerns with the FCC taking a large role in cybersecurity that is narrowly focused on ISPs when the issue is an Internet-wide problem. There are already existing incentives for ISPs to protect their networks. Regulation would be unnecessary at best and, at worst, it could be counter-productive by constraining ISPs’ flexibility to detect and deter cyber-threats. In addition, there are other government agencies looking into cybersecurity.
The Center for Democracy and Technology has made a similar point stating that the FCC “should embrace three principles: limited authority, consultation [with the private sector] and transparency.” CDT also said, in regards to entities over which the Commission arguably has jurisdiction, “the FCC can promote best practices and standards in collaboration with public/private bodies rather than through government-run regulatory processes.”
The FCC indeed has an important role and its expertise in the area may be best suited to promote awareness and education in coordination with other agencies
More broadly, a few things we think that policymakers should focus on include: protecting government networks to set an example for the industry; consolidating the many existing efforts put forth by various government agencies; establishing policies that preserve the private sector’s ability to be flexible in addressing cyber threats and that promote continued investment and innovation; improving strategic information sharing; creating the right incentives for more secure software design; and encouraging the development of private sector best practices.
The Internet has played an extraordinary part in shaping our society, and it will continue to shape our everyday lives in unfathomable ways going forward. But with all the benefits come downsides, like cyber threats. We all want to do our part to protect our networks, devices, services, applications and users from the bad guys. But we have to be careful not to unwittingly harm one part of the Internet ecosystem when effective cybersecurity requires all hands on deck.
Remember that village I mentioned?