SAN FRANCISCO -- The government's four-year plan to protect the nation's IT infrastructure is getting a passing grade at mid-term, according to security experts who presented at the annual RSA Security Conference here this week. But according to two surveys by cyber security groups, the White House could do more.
This week also saw Michael Chertoff become the director of the Department of Homeland Security (DHS) after being unanimously confirmed by the Senate Tuesday. He replaced Tom Ridge who stepped down Feb. 1.
The DHS oversees the National Cyber Security Division (NCSD), which it created in response to the Bush administration's National Strategy to Secure Cyber Space. The 76-page document, released in February 2003, is a call to the private-sector and academia to guide an overwhelmed bureau through establishing best practices and take the lead on protecting critical systems.
Executives with the Information Technology Association of America (ITAA), Business Software Alliance (BSA), Computing Technology Industry Association (CompTIA) and the Cyber Security Industry Alliance (CSIA) gave the initiative a vote of confidence, but each stressed that more would need to be done and in relatively short order.
"We recommend a more robust partnership between the public and private sectors, both in terms of cyberspace and physical attack," Jamie Gorelick, former U.S. deputy attorney general, 9/11 commissioner and consultant to the CSIA, told an audience at the RSA show. "What we suggested in the 9/11 statute is that the administration do a risk assessment for types of risk and geography."
Gorelick is critical of the DHS's spending policies when it comes to protecting critical IT systems. Of the $40.7 billion earmarked for 2005, the majority is going to strengthen borders and port security. An additional $2.5 billion has been established for Project BioShield.
By contrast, NCSD is getting $67.4 million, a $2.1 million increase over 2004. An increase of $5 million has been proposed in the budget for 2006, which would bring the program total to $72.4 million.
In addition to underfunding, the concern by Gorelick and others like Richard Clarke, former special advisor to the president for cyber security, is that the nation's Internet infrastructure needs a strong quarterback-type to call the shots.
"With the exception of banking and finance, I would broadly give [U.S. industry] an F, especially the government," Clarke said during a panel discussion this week at the RSA show. "It's fine for all of you in the industry saying you don't want to regulate. But if you threaten to regulate an industry, they respond. But then you have to follow through."
Clarke reminded attendees that, based on arrests made by authorities, terrorists are believed to be using advanced hacker tools and communicating with each other using standard Internet protocols and one-time passwords.
Without a continued effort by private and public groups, Clarke said the United States would certainly be caught off guard in the same way that it was during the bombing of Pearl Harbor and the 9/11 attacks.
"On the issue of cyber security, we are forewarned," Clarke said.
Surveying Cyber Security
The surveys released this week report on the progress made in cyber security in the public and private sectors.
The ITAA published the results of its survey, which was conducted by USC's Institute for Critical Information Infrastructure Protection. The organization said respondents were asked to describe their top two or three accomplishments in cyber security over the past two years.
Among the responses included an extensive array of capabilities for large-scale network intrusion detection and for communicating cyber threats and attack patterns via early warning systems, as well as numerous structures for inter- and intra-industry information sharing of information security-related information;
In addition, respondents said they made substantial investments in new information security products and product enhancements in intrusion detection and prevention, threat pattern detection, patch management, antivirus, spyware protection, firewalls, encryption, ID theft prevention, authentication, access control, privacy and related areas, according to ITAA's results.
Other examples of cyber security accomplishments by respondents include:
- Automatic online security updating of system and application software;
- Multi-industry efforts to establish cohesive cyber security standards, metrics and organizational performance baselines;
- Creation of several programs for cyber security assessment and certification;
- Establishment of laboratories, collaborative efforts, courseware and other university level instruction; and
- Development of Web sites and other outreach activity.
"We cannot rest on our laurels, however, because much remains to be done," said Harris Miller, president of the ITAA, in a statement. "In the next few weeks, the National Cyber Security Partnership will come forward with a set of multi-industry commitments to improve the private sector's information security posture in the future."
According to the ITAA, the partnership is an informal gathering of private-sector organizations across industry sectors and academia committed individually and collaboratively to implementing the president's cyber space strategy.
Another cyber security survey, a joint report by the Information Systems Security Association (ISSA) and the BSA, this week found more organizations have raised security to the senior management level.
Of those companies surveyed, 76 percent said they recognize that raising security as a priority makes companies more efficient and less likely to be down and gives them a competitive advantage in their market.
While 59 percent of security professionals continue to believe there will be a major cyber attack in the next 12 months (down from 65 percent in October 2003), 73 percent say they feel better prepared than they were just 12 months ago to evade the attack.
"Today's communication capabilities have created dramatic new opportunities for both good and evil," said David Cullinane, president of the ISSA, in a statement. "Cyber security has been recognized as a top priority for both the public and private sector. We must continue to work with governments and businesses on an international level to improve our security."