RSA: U.S. Cybersecurity Strategy Turns 10
Tom Ridge tells the government to stop talking and start acting.
SAN FRANCISCO - In recent weeks, the issue of cyberattacks from China and nation state adversaries has been big news. Reality is that the U.S has been taking steps to secure its national IT infrastructure from cyberattack for the last 10 years.
During a panel session at the RSA conference this week, Tom Ridge, the first head of the U.S. Department of Homeland Security, recounted the efforts that he helped lead 10 years ago. Ridge was joined by Howard Schmidt, who helped author the U.S. National Strategy to Secure Cyberspace under President Bush. More recently, Schmidt served as the cybersecurity coordinator of the Obama Administration.
"10 years ago, we started a national strategy to secure cyberspace. This was during the first several months post-9/11 and we were concerned that cyber attacks at that time were imminent," Ridge said.
Ridge said his primary task was to first build a national strategy for homeland security. Cyber was one component of that larger effort. The strategy was built as an aggregation of ideas that were collected during lots of town hall-type meetings and collaboration. The first draft of the strategy was released in September 2002 and opened to comment until February 2003, when it was finalized.
Ridge argued that material contained in the 2003 National Strategy for Cyberspace is still relevant today.
"It's about awareness, threat assessment and information sharing," Ridge said.
The strategy also involved having a national response mechanism as well as a threat vulnerability reduction program. The strategy led to the creation of US-CERT (United States Computer Emergency Readiness Team) in order to share and collaborate with the public on IT security.
Ridge stressed that the U.S. government in general, and in particular in the most recent Congress, has been talking about cybersecurity for a long time.
"It's good to talk about," Ridge said. "But it's time to quit talking and start doing."
In February, President Obama signed an executive order to create a national cybersecurity framework.
Schmidt said that the framework states that that the government is going to share information with the private sector.
"We have been saying that since 2003," Schmidt said. "Obama now wants it to be actionable."
Ridge added that any time the president of the United States is in news headlines about cybersecurity, it's a good thing. However, he isn't as thrilled about the actual content of the executive order.
"For the president to have to sign an order directing the government to give unclassified info to the private sector when there is a risk is incredulous to me," Ridge stated.
Overall, Ridge has an optimistic view on the nation's cybersecurity posture. "America did a lot post 9/11 to be more secure," he said.
He added that after 9/11 he was asked by someone how he sleeps at night. His response was that he doesn't sleep much, but he does believe the private and public sectors are doing lots to make us all more secure.
"There are still some challenges and I'm optimistic we can meet the challenges," Ridge said.