WASHINGTON — Three former Bush administration top cyber security officials don’t think the White House or the top levels of the private
sector are putting enough priority on securing the nation’s networks.
Speaking at a Gartner forum moderated by journalist Bob Woodward, the two
former cyber security czars and a former cyber security chief of staff have
all been a part of the constant turnover at the highest levels of the Bush
administration’s security team.
“There has not been enough investment at the most senior political levels in
the administration to make this an important issue,” Roger Cressey, the
former chief of staff to the president’s Critical Infrastructure Protection
Board, said.
According to Cressey, “People look at cyber and they say, ‘Well, the
physical is what we really worry about because that’s how people die. Stuff
blows up, we have to worry about body bags.’ Cyber doesn’t do that so,
therefore, it’s a secondary issue.”
He said he didn’t disagree with the priority on physical security, but until
the White House fully addresses cyber security issues, the private sector
isn’t likely to follow. He added that he has a “general frustration” that
the administration is still in a reactive mode.
“If you don’t elevate cyber you’re not going to bring all the resources that
a White House and an administration can bring to bear on the issue and work
with the private sector to get proactive,” he said.
Former cyber security chiefs Howard Schmidt and Amit Yoran admitted the Bush
administration needs to do more to highlight the potential threats, but they also said it’s mostly a private-sector problem.
The White House says 80 percent
of the nation’s networks are controlled by private enterprise.
“I don’t think we will ever solve the problem just like we’ve never really
solved the physical world security problem,” Schmidt said. “What gnaws at me
is the lack of realization that you could potentially become a victim
whether it’s a large enterprise, an end user or a small-to-medium
enterprise.”
Yoran said private enterprise is making progress in addressing cyber security
issues but much work still needs to be done.
“To a large extent, the folks running these businesses don’t have a good
understanding that these new technologies are also introducing
vulnerabilities,” he said. “Most organizations are willing to make the
investment they need to.”
Cressey called phishing attacks, viruses and ID theft a convergence creating
a “perfect storm” in cyberspace.
“I agree that government can’t solve it, but government has to play a strong
role in providing leadership and direction and identifying the priorities,”
Cressey said. “Don’t confuse activity with achievement. The question is what
is the output? We haven’t taken a lot of the good work done early on and
translated that into a road map to achieve specific steps.”
Cressey also said that both the government and the private sector need to
focus less on “cyber terrorism” concerns and more on threats to e-commerce.
“The problem is that people look at cyber terrorism as sexy, but, really,
everyone is taking advantage of the same vulnerabilities,” he said. “Don’t
worry about the terrorism aspects of this, worry about how to deal with the
threats and vulnerabilities that exist and how do we mitigate this.”