Cyber Security Heads Grade The System

SAN FRANCISCO — The government’s four-year plan to protect the
nation’s IT infrastructure is getting a passing grade at mid-term, according to security experts who presented at the annual RSA Security Conference here this week. But according to two surveys by cyber security groups, the White House could do more.

This week also saw Michael Chertoff become the director of the Department of Homeland Security (DHS) after being unanimously confirmed by the Senate Tuesday. He replaced Tom Ridge who stepped down Feb. 1.

The DHS oversees the National Cyber Security Division (NCSD), which it created in response to the Bush administration’s National Strategy to Secure Cyber Space. The 76-page document, released in February 2003, is a call to the private-sector and academia to guide an overwhelmed bureau through establishing best practices and take the lead on protecting critical systems.

Executives with the Information Technology
Association of America (ITAA), Business Software Alliance (BSA),
Computing Technology Industry Association (CompTIA) and the Cyber
Security Industry Alliance (CSIA) gave the initiative a vote of
confidence, but each stressed that more would need to be done and in
relatively short order.

“We recommend a more robust partnership between the public and
private sectors, both in terms of cyberspace and physical attack,” Jamie
Gorelick, former U.S. deputy attorney general, 9/11 commissioner and
consultant to the CSIA, told an audience at the RSA show. “What we suggested in the 9/11 statute is that the administration do a risk assessment for types of risk and geography.”

Gorelick is critical of the DHS’s spending policies when it
comes to protecting critical IT systems. Of the $40.7 billion earmarked
for 2005, the majority is going to strengthen borders and port
security. An additional $2.5 billion has been established for Project BioShield.

By contrast, NCSD is getting $67.4 million, a $2.1 million increase
over 2004. An increase of $5 million has been proposed in the budget for
2006, which would bring the program total to $72.4 million.

In addition to underfunding, the concern by Gorelick and others like
Richard Clarke, former special advisor to the president for cyber
security, is that the nation’s Internet infrastructure needs a strong
quarterback-type to call the shots.

“With the exception of banking and finance, I would broadly give
[U.S. industry] an F, especially the government,” Clarke said during a
panel discussion this week at the RSA show. “It’s fine for all of you in the
industry saying you don’t want to regulate. But if
you threaten to regulate an industry, they respond. But then you have to
follow through.”

Clarke reminded attendees that, based on arrests made by authorities, terrorists are believed to be using advanced hacker tools and communicating with each other using standard Internet protocols and one-time passwords.

Without a continued effort by private and public groups, Clarke said
the United States would certainly be caught off guard in the same way
that it was during the bombing of Pearl Harbor and the 9/11 attacks.

“On the issue of cyber security, we are forewarned,” Clarke said.

Surveying Cyber Security

The surveys released this week report on the progress made in cyber security in the public and private sectors.

The ITAA published the results of its survey, which was conducted by USC’s Institute for Critical Information Infrastructure Protection. The organization said respondents were asked to describe their top two or three accomplishments in cyber security over the past two years.

Among the responses included an extensive array of capabilities for
large-scale network intrusion detection and for communicating cyber
threats and attack patterns via early warning systems, as well as numerous structures for inter- and intra-industry information
sharing of information security-related information;

In addition, respondents said they made substantial investments in new information security products and product enhancements in intrusion detection and prevention, threat pattern detection, patch management, antivirus, spyware protection, firewalls, encryption, ID theft prevention, authentication, access
control, privacy and related areas, according to ITAA’s results.

Other examples of cyber security accomplishments by respondents include:

  • Automatic online security updating of system and application
    software;

  • Multi-industry efforts to establish cohesive cyber security
    standards, metrics and organizational performance baselines;

  • Creation of several programs for cyber security assessment and
    certification;

  • Establishment of laboratories, collaborative efforts, courseware and
    other university level instruction; and

  • Development of Web sites and other outreach activity.

“We cannot rest on our laurels, however, because much remains to be
done,” said Harris Miller, president of the ITAA, in a statement. “In the next few weeks, the National Cyber Security Partnership will come forward with a set of multi-industry commitments to improve the private sector’s information security posture in the future.”

According to the ITAA, the partnership is an informal gathering of private-sector organizations across industry sectors and academia committed
individually and collaboratively to implementing the president’s cyber space strategy.

Another cyber security survey, a joint report by the Information Systems Security Association (ISSA) and the BSA, this week found more organizations have raised security to the senior management level.

Of those companies surveyed, 76 percent said they recognize that raising security as a priority makes companies more efficient and less likely to be down and gives them a competitive advantage in their market.

While 59 percent of security professionals continue to believe there
will be a major cyber attack in the next 12 months (down from 65 percent
in October 2003), 73 percent say they feel better prepared than they were
just 12 months ago to evade the attack.

“Today’s communication capabilities have created dramatic new opportunities for both good and evil,” said David Cullinane, president of the ISSA, in a statement. “Cyber security has been recognized as a top priority for both the public and private sector. We must continue to work with governments and businesses on an international level to improve our security.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web