Execs Call for Tighter Cyber Security Control


WASHINGTON — Security industry executives said today the Bush
administration is not giving enough attention to increasing cyber attacks
that they say are threatening the nation’s critical network infrastructure.


At a downtown press conference organized by the Cyber Security Industry
Alliance (CSIA), officials from RSA Security, Citadel Security Software and
Juniper Networks called upon Bush to take a larger cyber security leadership
role than he has in the past.


“If critical information infrastructure is underpinning our economy and
our national security, it seems to me that this should have a much higher
profile within the administration,” said Art Coviello, RSA’s president and
CEO.


More than two years ago, Bush proposed a National Strategy to Secure
Cyberspace. The plan calls for a voluntary partnership between the public
and private sectors to share security intelligence, reduce vulnerabilities
and deter malicious entities.


Last year, the administration hosted a public-private cyber security summit
between the Department of Homeland Security (DHS) and private sector
security executives. DHS Assistant Secretary Bob Liscouski told the
executives the private sector should lead the cyber security effort since
more than 90 percent of the U.S. network infrastructure is in private hands.


In response, Coviello said the industry developed a “very good body of work
for following up [on the president’s plan],” but a subsequent summit never
happened.


“I think we raised the profile, but I don’t think we got the support within
the administration that, quite frankly, we should have,” Coviello said.
“Physical protection is extremely important, but I think we would have
gotten more action and more support from the administration had we had a
higher profile.”


To raise the cyber security profile, the CSIA issued 12 recommendations to
the Bush administration, including establishing a dedicated cyber security
post in the DHS, strengthening cyber threat information between the
government and the private sector and promoting information security
governance in the private sector.


The technology industry has long supported a different organizational
structure for cyber security at the DHS. Currently, the undersecretary for
infrastructure protection and information analysis has one assistant
secretary responsible for both physical and cyber security.


“Cyber and physical infrastructure security will receive greater respective
attention with an assistant secretary for cyber security working alongside
the assistant secretary for infrastructure protection,” the CSIA states in
its recommendations. “It is particularly important [for the new post to]
have primary authority over the national communications system given the
convergence of voice and data networks.”


The White House and the DHS have so far resisted making the change wanted by
technology. Congress briefly toyed with the idea but ultimately decided not
to take action.

Neither the White House Office of Science and Technology nor the DHS responded to a request for comment.


Steven B. Solomon, Citadel’s CEO, said one of his greatest concerns is
information sharing with the government.


“The private sector has developed strong capabilities to provide indications
and warnings of cyber attacks over information networks and provide the
information to the private sector,” Solomon said. “However, we are unaware
of any efforts by the federal governmentto collect classified information
about cyber threats and share such information as appropriate.”


Solomon added, “The gap we have today is that government systems are not
likely to be the only target of cyber attacks. This fact represents a
strategic gap in the public sector and the private sector’s ability to
defend against these attacks.”


Coviello said the movement to Web-based services by the government was only
going to further underscore the gap between federal and private systems.


“If you have client/server or mainframe applications, you can still fairly
well firewall those off and I think generally most [federal] agencies do a
half decent job of that,” he said. “But as we do more Web-based applications
with the federal government, then you are exposing far more of these
applications to the public Internet and then you run the same risk that we
run into in the private sector, day in and day out.”


The executives also urged Congress to ratify the Council of Europe’s
Convention on Cybercrime, the first international treaty aimed at cross
border cooperation on Internet crimes. The treaty was first negotiated under
the Clinton administration and signed by the Bush administration in late
2001. Two years later, it was introduced in the Senate, which has taken no
action on the matter.


“This should be a no-brainer,” Coviello said. “It would show international
leadership, would not require any new legislation for compliance but would
remove or minimize legal obstacles to international investigations and
prosecution of cyber crimes.”

News Around the Web