National Cyber Security Initiative Still Stalling
Homeland Security Secretary Tom Ridge says his agency is closer to protecting the Internet from an electronic 9/11, but skeptics aren't so sure.
SANTA CLARA, Calif. -- Eight months after forging a plan to secure cyberspace, a coalition of government and private corporations says it is close to unveiling real products and practices to bolster the nation's vulnerable networks.
As part of the first of several National Cyber Security Summits, U.S. Department of Homeland Security (DHS) Secretary Tom Ridge acknowledged a huge gap of time between the President's National Strategy for Securing Cyber Security, released earlier this year, and the deputization of the U.S. CERT Coordination Center, but said his department is making progress.
"We aim to reach 50 million Americans in the next few months," Ridge said to attendees here. "We will augment the President's vision through public campaigns, the U.S. CERT and through the Stay Safe Online program."
For example, Ridge pointed to the U.S. CERT Web site, which he said will serve as a resource for small businesses to private users looking for updates and warnings.
Mostly, though, the government is taking a laissez faire attitude toward recommending legislation or mandates.
"The president laid out the vision. We need a blueprint and we are convinced that working with you that we will find those feats possible," Ridge said.
Since the September 11 attacks, the U.S. government has taken a hard look at its critical infrastructure and decided it cannot do it alone considering 85 percent is owned by the private sector.
Critics however have lambasted the administration's plan as a very loosely based and too dependent on private enterprise without enough checks and balances. The program has also been somewhat adrift since the departure of inaugural director Richard Clarke and subsequent exit of former Microsoft CTO Howard Schmidt, who now resides at eBay as its chief science officer.
The National Cyber Security Division, now headed by Amit Yoran, has now been assigned the task to close the gap and start tying up loose ends. Only a few months into his term, the former Symantec executive said the nation's critical infrastructure is better off than a year ago, but admitted much more must be done to stay ahead of attacks.
"The government's record of managing security is unacceptable," Yoran said. "We are still compiling the results of the 'Live Wire' war game exercise to help us prepare for damaging events. We are already taking the data and improving our practices to prevent an electronic 9/11. We have moved from strategy to implementation but weaknesses in security are not acceptable. I ask you, 'Are you satisfied with your progress in our endeavor?' I hope that you are not."
As an incentive for getting high-tech companies to get in line, DHS Assistant Secretary Bob Liscouski said the administration would continue to campaign for enterprises that can regulate themselves, but only for so long.
"The partnership means more than just 'working together'," he said. "We need deliverables, we need metrics. The private sector owns the problem but we can't force it to be done. We can be your advocates. If you don't, we have people who are willing to regulate the way you do business."
IT companies already know the dangers of certain types of attacks. This summer's double whammy of Blaster and SoBig ended in a $3.5 billion price tag. And while the great Eastern seaboard blackout this summer was not caused by a cyber attacks, Ridge's administration seems convinced that viruses played a part in mitigating the damages.
To better assess the problem, members of four trade organizations -- Business Software Alliance, Information Technology Association of America, Tech Net and the U.S. Chamber of Commerce -- launched a CEO survey to evaluate their information security programs by April 4, 2004, National Cyber Security Day.
The internal document of 80 questions would then be used as a "public health assessment" to help companies find out what risks still exist. Ultimately the groups want to simplify the patch process; help developers understand the security process; share best practices; and look for incentives to foster a culture of security awareness.
One of those ways of better distributing information came Tuesday during the Markle Foundation's Task Force on National Security in the Information Age second annual report on homeland defense.
In its report, the task force urged the government to effectively utilize the often valuable information that is held in private hands, but only within a system of rules and guidelines designed to protect civil liberties. According to the task force, the government must rely on information to detect, prevent, and effectively respond to attacks since it is not possible for the nation to "harden" all potential targets against terrorist attack.
The process has been hindered by a lack of cooperation between federal, state and local entities, often referred to as "stovepipes".
PalmOne, PalmSource and 3Com chairman Eric Benhamou said that TechNet's survey is only one of several initiatives to help address the situation and that the silent practice of not owning up to cyber security is coming to an end.
"We are entering a new area of responsibility," Benhamou said. "We have traditionally found that companies fail to act because information technology is usually regulated to the IT department. Companies are experiencing a pain level with regard to security breaches that cannot be ignored."
A corresponding survey, conducted for BSA and ISSA by independent pollster Andrew Stavisky, found 65 percent of information security professionals believe that their organizations are at risk of a major cyber attack in the next 12 months.
The study of 1,716 members of the ISSA also found major information security challenges remain. While 55 percent of information security professionals said their companies have active information security awareness and training programs for employees, only 16 percent identified their company's workers as adequately trained.
Encouraging however to the pollsters: 78 percent said their organization is prepared to defend against a major cyber attack. Among those at the largest companies surveyed, 82 percent said their companies are more secure.