Government

RSA wrapup: Private sector feels burned by feds

In direct conversations with FedScoop as well as idle chatter heard at industry parties, the private sector is running out of patience with the federal government’s understanding and efforts in cybersecurity.

By Greg Otto

March 6, 2016

Criticism of the feds’ efforts to force Apple to hack its own encryption dominated chatter at last week’s RSA Conference but seems to be the tip of an iceberg of discontent: The private sector is running out of patience with the U.S. government’s poor understanding and bungled efforts in cybersecurity.

Every panel that featured a government representative — even one not affiliated with the FBI or Justice Department — elicited questions that boiled down to either “You know the FBI is overstepping its bounds, right?” or “You don’t stand with the FBI, do you?” The exasperation was even voiced by ex-officials. During a panel at a cocktail event, former top counterterrorism official Richard Clarke dressed down Assistant Attorney General John Carlin for the DOJ’s use of the All Writs Act in compelling Apple to help it break into the iPhone used by one of the San Bernardino shooters.

In informal exchanges, the mood was no better. Private sector executives applauded Clarke for having the fortitude to tell the DOJ what they wish they could say themselves. One CEO urged administration and congressional leaders to borrow a page from Clarke’s counterterror book — and publicly apologize for not doing more to understand and win the cybersecurity battle.

He added that he considers most of cybersecurity leadership in the government “gutless or incompetent.”

The CEO was one of many attendees at RSA who circulated security researcher Dan Kaminsky’s op-ed in Wired on Wednesday, accusing the Obama administration of watching the digital world burn instead of helping to put the fire out.

The metaphor is apt, given that 24 hours prior, the Department of Homeland Security’s Andy Ozment was calling National Protection and Programs Directorate “the firefighters” when it comes to incident response. DHS officials spent a lot of time talking to people at RSA about their efforts related to the newly passed information sharing law, the Cybersecurity Act of 2015. FedScoop did not meet a single company executive who was warm to the idea of sharing threat information with DHS.

A broken acquisition system

Beyond policy, executives also expressed frustration with (what else?) the acquisition process. A number of companies provided product demos of every kind from endpoint security to network segmentation, but said getting it inside government agencies takes longer than the technology’s useful lifespan.

Even getting a demo to agency leaders is no guarantee, it seems. Boston-based Pwnie Express has demoed their Pwn Pulse wireless detection device for the FBI and Secret Service. This $200 device, the size of a hard drive, has been used to monitor every wireless point during events at Levi’s Stadium in Santa Clara (68,500 person capacity, just hosted Super Bowl 50). But CEO Paul Paget told FedScoop he couldn’t get the government to return his calls.

Another security consultant said point blank: “When there is a cyber war, the U.S. will lose. And we will lose because of federal acquisition regulation.”

Interestingly, the government official who got the most positive response was Secretary of Defense Ashton Carter, who announced a bug bounty program that will allow vetted white hat hackers to perform penetration testing on some of DOD’s public-facing websites. Hundreds attended Carter’s panel, where his remarks were met with applause.

It’s not as if the government doesn’t understand it has the deck stacked against them. Department of Homeland Security’s deputy undersecretary for cybersecurity and communications Phyllis Schneck told FedScoop cyberthreats are “very formidable”: “They are very fast. They have no lawyers, they have nothing to protect, they have great relationships with one another, and they’ve got plenty of money.”

That description, in many ways, is like a mirror image of the U.S. government.

“You can’t just keep doing what we are doing,” Carter said. “The world changes too fast, our competitors change too fast.’

And if RSA is anything to go by, it’s going to take more people inside the government to realize that before the private sector feels like the feds aren’t standing idle while the country goes up in flames.