Ashcroft: Cybersecurity Takes a Village
Former attorney general argues for making security an institutional priority, outlines parallel between information security and 'war on terror.'
NATIONAL HARBOR, Md. -- Just as the intelligence and law-enforcement communities rely on tips from vigilant citizens, enterprises too must broaden their approach to information security, former Attorney General John Ashcroft said in a speech Monday morning.
Enterprises that relegate their security operations to a siloed department cordoned off from the rest of the organization do so at their own peril, Ashcroft warned an audience of IT security professionals here at the Gartner Security and Risk Management Summit.
"Broad participation is necessary in defending our systems," Ashcroft said.
"Our defense must be a first-line priority and part of the entire entity's DNA. It can't be relegated to some unseen status or presided over solely by the department of information protection or a CIO, he added. "[The] CIO desperately needs the perspective and support -- the help of coworkers and the management team."
Ashcroft, who served as President Bush's attorney general from 2001 to 2005, was one of the architects of many of the more controversial policies developed in response to the Sept. 11th attacks, including the Patriot Act.
Ashcroft drew a parallel between the United States' "war on terror" -- a term coined early in the Bush administration that has since fallen out of favor -- and the constant barrage of information threats enterprises and government agencies face.
He found a lesson for IT security professionals in three of the high-profile domestic attacks that were narrowly thwarted: the failed attempt by al Qaeda operative Richard Reid to blow up a commercial airliner in December 2001, a similar plot on Christmas Day 2009 and the failed Times Square car bombing May 1st of this year.
"Each of these attacks was primarily repelled by individuals whose focused responsibilities were outside the professional law enforcement community," Ashcroft said.
"Likewise, the protection of our enterprises and the protection of our country both are too important to reserve exclusively to law enforcement or information professionals alone the duty of protection, " he added.
To Ashcroft, the efforts of vigilant citizens to foil attempted terrorist attacks have an immediate parallel in the world of information security. He described it as a cultural shift that imbues an enterprise at all levels of the workforce with a surefooted understanding that security is everyone's job.
"We need to enlist the broader population of the entire organism in the development of the right policy and operational protocols, but also in an understanding of the need to protect," he said.
In addition to instilling the culture of security, Ashcroft emphasized the importance of effective and strictly limited access controls as an essential ingredient to effective security, again drawing a parallel between the work of government and enterprise.
"Too many people had too much access," Ashcroft said, recalling his days at the helm of the Justice Department. "An important component of an effective intelligence operation, which is not too distant from the important characteristics of good information systems, is that there should be a need-to-know- or a need-to-have-access that justifies the access that's there."
He added, "The truth of the matter is access is a balancing act that must be at the proper level for appropriate users. And the access meter needs to read 'impossible' for all others."
March 24, 2010
Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding.