SAN FRANCISCO — If the Internet is going to get anymore secure, U.S. businesses will have to keep on guarding it and locking it down one piece at a time.
Calling the country’s “National Strategy for Securing Cyber Security” a mosaic, White House Cyber Security Advisor Howard Schmidt Tuesday said concerns about IT infrastructure are clearly in the hands of the private sector.
“Time is of the essence,” Schmidt said at the RSA Security conference here. “From 1994 up until the denial-of-service attacks in 2000, this was not a boardroom issue. We have not fully realized the potential and capability of what the Internet can do for us.”
But since the national plan was rolled out in February, Schmidt (a former chief of security at Microsoft
) conceded that it’s been a long time to get people on board.
“Clearly the question has been asked, ‘Is anybody really going to do something?'” Schmidt said. “We’ve had some indications of success. Campuses and universities are taking steps in making them more secure. The hardware and wireless manufacturers are providing free links to firewall software for small to medium businesses and we’ve seen hardware and software manufacturers training employees writing secure code. We are also seeing an increasing amount of cooperation between law enforcement to help with the crack down.”
The effort is getting major financial backing. The administration has authorized $900 million dollars for the next five years for cyber security research and development. Schmidt said the money has yet to be appropriated. Overall spending on services and technology across all federal agencies is expected to grow form $45.4 billion in fiscal year 2003 to $68.2 billion in 2008 with e-government and homeland security getting the lion’s share.
But the Cyber Security program has lost some of its teeth since President Bush eliminated the President’s Critical Infrastructure Protection Board (PCIPB), the office that created the National Strategy for Securing Cyber Security and the departure of Richard Clarke.
Schmidt also conceded that there are no official mandates requiring companies comply with the security guidelines and penalties at this point equal a slap on the wrist and public shame.
“We will let the market decide what is working and what is not,” Schmidt said.
Schmidt himself raised eyebrows while at Microsoft when he said the “Slammer” worm only caused “collateral damage” to the nation’s most important electronic systems. He also absolved Microsoft of blame for the attacks even though many security sources argue that the patches Microsoft issued for the buggy SQL were “self-contradictory and impossible to apply.”
Still, Schmidt pointed to the fact that 80 to 85 percent of critical Internet and Internet technologies are run by the private sector as proof that enterprise needs to take the lead in protecting IT infrastructure.
One of the few visual coalitions is TechNet, a network of over 200 CEOs and senior high tech executives. The group Tuesday said they were working with audit firms of KPMG, Ernst & Young, Deloitte & Touche and PricewaterhouseCoopers to help TechNet with its Cyber Security Practices Adoption Campaign.
“What we’ve decided to do is to challenge American business to come up with recommended goals working with ISA to figure out a way for chief executives to put together some standardized processes,” said TechNet president and CEO Rick White.
In early March, the Silicon Valley-based group launched its CEO Cyber Security Task Force, made up of chief executives of some of the nation’s leading computer networking, hardware, software, and cyber security companies.