Former Cyber Chief Raises 'Perfect Storm'
Page 1 of 1
WASHINGTON -- Three former Bush administration top cyber security officials don't think the White House or the top levels of the private sector are putting enough priority on securing the nation's networks.
Speaking at a Gartner forum moderated by journalist Bob Woodward, the two former cyber security czars and a former cyber security chief of staff have all been a part of the constant turnover at the highest levels of the Bush administration's security team.
"There has not been enough investment at the most senior political levels in the administration to make this an important issue," Roger Cressey, the former chief of staff to the president's Critical Infrastructure Protection Board, said.
According to Cressey, "People look at cyber and they say, 'Well, the physical is what we really worry about because that's how people die. Stuff blows up, we have to worry about body bags.' Cyber doesn't do that so, therefore, it's a secondary issue."
He said he didn't disagree with the priority on physical security, but until the White House fully addresses cyber security issues, the private sector isn't likely to follow. He added that he has a "general frustration" that the administration is still in a reactive mode.
"If you don't elevate cyber you're not going to bring all the resources that a White House and an administration can bring to bear on the issue and work with the private sector to get proactive," he said.
Former cyber security chiefs Howard Schmidt and Amit Yoran admitted the Bush administration needs to do more to highlight the potential threats, but they also said it's mostly a private-sector problem.
The White House says 80 percent of the nation's networks are controlled by private enterprise.
"I don't think we will ever solve the problem just like we've never really solved the physical world security problem," Schmidt said. "What gnaws at me is the lack of realization that you could potentially become a victim whether it's a large enterprise, an end user or a small-to-medium enterprise."
Yoran said private enterprise is making progress in addressing cyber security issues but much work still needs to be done.
"To a large extent, the folks running these businesses don't have a good understanding that these new technologies are also introducing vulnerabilities," he said. "Most organizations are willing to make the investment they need to."
Cressey called phishing attacks, viruses and ID theft a convergence creating a "perfect storm" in cyberspace.
"I agree that government can't solve it, but government has to play a strong role in providing leadership and direction and identifying the priorities," Cressey said. "Don't confuse activity with achievement. The question is what is the output? We haven't taken a lot of the good work done early on and translated that into a road map to achieve specific steps."
Cressey also said that both the government and the private sector need to focus less on "cyber terrorism" concerns and more on threats to e-commerce.
"The problem is that people look at cyber terrorism as sexy, but, really, everyone is taking advantage of the same vulnerabilities," he said. "Don't worry about the terrorism aspects of this, worry about how to deal with the threats and vulnerabilities that exist and how do we mitigate this."