Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- Security industry executives said today the Bush administration is not giving enough attention to increasing cyber attacks that they say are threatening the nation's critical network infrastructure.
At a downtown press conference organized by the Cyber Security Industry Alliance (CSIA), officials from RSA Security, Citadel Security Software and Juniper Networks called upon Bush to take a larger cyber security leadership role than he has in the past.
"If critical information infrastructure is underpinning our economy and our national security, it seems to me that this should have a much higher profile within the administration," said Art Coviello, RSA's president and CEO.
More than two years ago, Bush proposed a National Strategy to Secure Cyberspace. The plan calls for a voluntary partnership between the public and private sectors to share security intelligence, reduce vulnerabilities and deter malicious entities.
Last year, the administration hosted a public-private cyber security summit between the Department of Homeland Security (DHS) and private sector security executives. DHS Assistant Secretary Bob Liscouski told the executives the private sector should lead the cyber security effort since more than 90 percent of the U.S. network infrastructure is in private hands.
In response, Coviello said the industry developed a "very good body of work for following up [on the president's plan]," but a subsequent summit never happened.
"I think we raised the profile, but I don't think we got the support within the administration that, quite frankly, we should have," Coviello said. "Physical protection is extremely important, but I think we would have gotten more action and more support from the administration had we had a higher profile."
To raise the cyber security profile, the CSIA issued 12 recommendations to the Bush administration, including establishing a dedicated cyber security post in the DHS, strengthening cyber threat information between the government and the private sector and promoting information security governance in the private sector.
The technology industry has long supported a different organizational structure for cyber security at the DHS. Currently, the undersecretary for infrastructure protection and information analysis has one assistant secretary responsible for both physical and cyber security.
"Cyber and physical infrastructure security will receive greater respective attention with an assistant secretary for cyber security working alongside the assistant secretary for infrastructure protection," the CSIA states in its recommendations. "It is particularly important [for the new post to] have primary authority over the national communications system given the convergence of voice and data networks."
The White House and the DHS have so far resisted making the change wanted by technology. Congress briefly toyed with the idea but ultimately decided not to take action.
Neither the White House Office of Science and Technology nor the DHS responded to a request for comment.
Steven B. Solomon, Citadel's CEO, said one of his greatest concerns is information sharing with the government.
"The private sector has developed strong capabilities to provide indications and warnings of cyber attacks over information networks and provide the information to the private sector," Solomon said. "However, we are unaware of any efforts by the federal governmentto collect classified information about cyber threats and share such information as appropriate."
Solomon added, "The gap we have today is that government systems are not likely to be the only target of cyber attacks. This fact represents a strategic gap in the public sector and the private sector's ability to defend against these attacks."
Coviello said the movement to Web-based services by the government was only going to further underscore the gap between federal and private systems.
"If you have client/server or mainframe applications, you can still fairly well firewall those off and I think generally most [federal] agencies do a half decent job of that," he said. "But as we do more Web-based applications with the federal government, then you are exposing far more of these applications to the public Internet and then you run the same risk that we run into in the private sector, day in and day out."
The executives also urged Congress to ratify the Council of Europe's Convention on Cybercrime, the first international treaty aimed at cross border cooperation on Internet crimes. The treaty was first negotiated under the Clinton administration and signed by the Bush administration in late 2001. Two years later, it was introduced in the Senate, which has taken no action on the matter.
"This should be a no-brainer," Coviello said. "It would show international leadership, would not require any new legislation for compliance but would remove or minimize legal obstacles to international investigations and prosecution of cyber crimes."