 | |
| |
TechnologyDaily Mobile
Toward A More Secure Cyber World
by Ted LeventhalThe information technology industry is hard at work on solutions for protecting computer networks from attacks of all sorts. Several working groups have been meeting under the auspices of both Congress and the Bush administration for more than a month and are promising at least interim solutions to the problem of getting government, industry and the general public to take positive steps toward securing cyberspace by late winter.
"It has been analogous to the establishment of the Department of Homeland Security," said Larry Clinton, president of the Internet Security Alliance. "There's a lot of activity, but it's hard to assess the outcome so soon. What is becoming more broadly understood is the enormity and complexity of the problem. Therefore, solutions or outcomes won't come as quickly as people would hope, and I'm not sure that is necessarily a bad thing."
The Pass To The Private Sector
The debate over how to secure cyberspace turned a corner in November when Florida Republican Adam Putnam, chairman of the House Government Reform Technology Subcommittee, decided not to submit draft legislation mandating security measures. Putnam's plan, modeled after the reporting standards for company preparations for the Year 2000 computer problem, called for mandating that companies report on their computer security.
Tech industry lobbyists had argued that such a regime was premature and unworkable, saying that such a law would secure too few computers at too great a cost and that the Securities and Exchange Commission lacked the expertise to craft reliable computer-security standards.
"If you have a bad financial audit, a company loses money and is forced to restate earnings," Clinton said, "but if you have a bad cyber-security audit, people could lose their lives. ... We said, 'We need to find a more dynamic model and make the marketplace motivate people.'"
Industry pledged to create its own comprehensive, voluntary regime on computer security, and Putnam relented, instead opting to create the working group on the issue. "I didn't come to add pages to our [nation's] code book," he said.
Putnam's working group includes representatives from the Business Roundtable, Information Systems Security Association, National Federation of Independent Businesses and U.S. Chamber of Commerce. It is divided into five working groups focused on: security "best practices" and principles; private-sector incentives; government procurement and security; education and awareness; reporting and information sharing; and performance metrics.
"The work is going extremely well," said Bob Dix, the subcommittee's chief of staff. "The groups are working aggressively to get options and alternatives to present to the chairman in early March. The work is ambitious, but these people represent corporate America and academia and are lending great expertise to the issue."
Plenty Of Work For Everyone
Meanwhile, the National Cyber Security Summit Alliance, an industry coalition working with the direction of the Homeland Security Department, created its own working groups in the wake of last month's cyber-security summit in Santa Clara, Calif. The groups are tackling similar issues and also promise recommendations by March.
The alliance is conducting "distinct yet complimentary activities" to Putnam's working group, said Robert Holleyman, president and CEO of the Business Software Alliance (BSA), which chairs a directorate on security in software development. The more attention and resources devoted to securing cyberspace, the better, Holleyman said. "No one believes there is a single silver bullet that will solve the problem of the lack of attention paid to cyber security," he said.
"Our goal is to create a culture of cyber-security awareness, recognizing that without cyber security, there is no physical security, and without both, we have no economic security as a nation," he added. Holleyman said the National Cyber Security Summit Alliance expects to publish a preliminary report on its findings March 1.
Holleyman and Clinton maintain that there is enough work for both their groups to tackle without running the risk of redundancy.
"There is so much work to be done so quickly, whatever inefficiencies are created are tolerable," Clinton said. "We both have programs on best practices and awareness, and while someone could say that is inefficiency, others could say it is useful redundancy. ... We could have 20 groups working on cyber-security awareness, and we wouldn't get enough done."
"There may be a high degree of consistency between the recommendations of [the Homeland Security Department] and Putnam's [subcommittee]," Holleyman said. "It is possible that there will be a wholly original idea coming out of one committee, but the reality is people think it will take a series of recommendations" to effectively address the issue of cyber security.
"Our hope is that the federal government can act to set the right culture," he added. "The president's National Strategy to Secure Cyberspace set the right tone. Now, driven by private-sector innovation, we will be able to substantially improve on the status quo."
The Workload Of The Working Groups
Still, fundamental challenges remain. Given the size and complexity of the problem, the role of government in crafting a solution is limited, with a large part of the problem outside the national security purview of the federal government.
Clinton noted that criminals and vandals, not terrorists, perpetrated the majority of the 250,000 computer-security incidents reported last year. "But in America we get into these working groups, and this stuff gets melded together as if it is the same thing," he said. Government and industry must do a better job delineating each other's responsibilities, he added. "I'm not sure we've teased out what strategies are necessary for domestic economic security as opposed to traditional terrorist attacks."
"You can secure the ports and power plants in the cyber arena 100 percent, but someone could still cause disruption in other areas," Clinton said. "It's a question of what is homeland security focused on and what are the owners and operators of the Internet focused on. They have aligned concerns, but it is hard to make public/private partnerships work. The concerns don't line up 100 percent."
Any successful cyber-security plan must include foreign businesses and governments, Holleyman said. "By definition, network security does not stop at the nation's borders. We need to create a broad cyber-security framework." Toward that end, BSA is lobbying senators to ratify the Council of Europe's treaty on cyber crime, which is expected to be debated this year.
It is unclear whether the threat of legislation has passed. "Nothing is off the table now," Dix said. "The draft legislation is being held in abeyance while the working group deliberates."
Yet while Putnam will decide this spring whether to push a legislative solution, his preference is "toward the private sector, not legislation," Dix added. "He is very appreciative of an alternative approach to a solution."
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
