 | |
| |
TechnologyDaily Mobile
A Status Report On Cyber Security
by William New
Almost everybody agrees with the need to protect digital information from computer-based attacks, but few parties agree on whether the government and private sector are providing that protection in the right way.
Since the innovation-driven years of the 1990s, the awareness of security problems has increased dramatically, especially since the terrorist attacks of Sept. 11, 2001. "What we're all struggling with is what to do about it," said Bill Conner, chairman and CEO of Entrust, a top information security firm.
In an interview last week, he took the industry view that more regulation or legislation is not the answer but that common standards for security would help. For industry experts like Conner, government's best role is to enable business to solve the problems by providing resources, leading by example and working in partnership with industry.
A Maturing Bureaucracy
Many new public and private-sector initiatives aimed at improving cyber security have begun in the past year. Most experts interviewed in recent weeks said this year would prove pivotal for refining the nation's somewhat scattered approach to cyber security.
Numerous government agencies are involved. The White House Office of Management and Budget remains in charge of budgeting issues for federal agencies' information technology. The defense and intelligence agencies continue to raise the bar on security as they increase their dependence on digital information. And the National Information Assurance Partnership (NIAP) is a collaboration between the National Institute of Standards and Technology and the National Security Agency on IT security testing.
Debate has arisen over the new Homeland Security Department's role. The House Homeland Security Committee, which has a Cybersecurity Subcommittee, has focused on the issue. In an April 26 letter to Homeland Security Secretary Tom Ridge, the committee expressed "serious concerns" about the department's cyber-security efforts.
The committee said the department has not provided "clear evidence" that it is "systematically implementing" the February 2003 national cyber-security strategy and demanded a detailed plan. The committee also said there is "growing sentiment" that the National Cyber Security Division created in June 2003 "may be ill-equipped to fulfill its mission."
The panel suggested moving cyber-related functions in the National Communications System into the division and probed the department's feeling about elevating the division's director to the level of an assistant secretary reporting directly to the undersecretary for information analysis and infrastructure protection. Amit Yoran, the chief of the cyber division, currently reports to the assistant secretary for infrastructure protection, Robert Liscouski. Some experts have argued that Yoran is limited by his position being four levels below the secretary.
The department replied to the committee on May 15 with a roughly 40-page detailed description of cyber-security efforts that amounts to a progress report on the cyberspace strategy. It shows progress and remaining work on pre-existing and new initiatives. A key development was the department's partnership with the U.S. Computer Emergency Readiness Team (US-CERT) as its cyber-security operational entity. US-CERT launched a cyber-alert system in January.
Pamela Turner, Homeland Security's assistant secretary of legislative affairs, said in the accompanying letter that the department recommends that the National Communications System remain separate until the cyber-security division matures. On the idea of elevating the director's position, the department, backed by a letter from former White House official Frank Cilluffo, emphasized the need to keep an integrated approach to cyber security and physical security.
The Path Toward Improvement?
Private-sector sources have cited culture clashes -- such as those between technology experts and law enforcement -- and turf battles as the diverse department settles.
The House committee's draft authorization bill for the department contains an eight-page proposed change to the cyber provisions of the 2002 law that established the department. The bill would order the Homeland Security secretary to independently assess cyber security within the department and take actions to correct problems. And it proposes to raise the level of the department's top cyber-security official to assistant secretary of a new National Cybersecurity Office, still under the information analysis and infrastructure protection.
The new assistant secretary would have numerous responsibilities but would not have authority over other agencies. The responsibilities would include creating and managing: a "national cyber response system;" a national program to reduce cyber security threats and vulnerabilities; a national cyber awareness and training program; and programs of coordination among federal, state and local governments, as well as with the private sector and with international partners.
The official also would coordinate with other department directorates on research and development, emergency preparedness, and private-sector information-sharing processes. In addition, the person would coordinate with Homeland Security's chief information officer, annually assess cyber-security risks, and "consult and coordinate" with other federal agencies.
The bill would transfer funds from Homeland Security to the National Science Foundation for grants to develop regional cyber-security laboratories and professional development programs at community colleges.
The transition would be authorized at $3.7 million. The cyber-security division is slated to receive about $80 million each year in fiscal 2004 and fiscal 2005. The authorization bill has faced some political resistance and currently is targeted for committee consideration in early July. Backers say that if necessary, they will consider other paths for enacting the cyber-security provision, which they believe enjoys bipartisan support.
The Cacophony Before The Harmony
In the private sector, the National Cyber Security Partnership was established after a December summit on strategies to better protect the nation's information infrastructure. The Business Software Alliance, Information Technology Association of America (ITAA), TechNet and U.S. Chamber of Commerce lead the partnership, whose five task forces issued recommendations earlier this year and are awaiting responses from Homeland Security.
Another group was created after House Government Reform Technology Subcommittee Chairman Adam Putnam, R-Fla., considered legislation to mandate cyber security. That group will begin phase two this month, aiming at completion of its work by next year. And ITAA President Harris Miller chairs the Partnership for Critical Infrastructure Security.
Industry also is partnering with government through the President's Information Technology Advisory Committee (PITAC). Under direction from the White House Office of Science and Technology Policy, a PITAC subcommittee is constructing a questionnaire to learn more about cyber-security R&D.
TechNet also administered a questionnaire, with 80 questions aimed at CEOs and will report the outcome this week, according to TechNet President and CEO Rick White. He also said he would support a public-interest advertising campaign on cyber security and is considering the idea of an industry organization that could continually develop standards.
Internationally, 15 countries crafted "common criteria" on software standards. And former administration expert Paul Kurtz is heading a new Cyber Security Industry Alliance.
Greg Garcia, vice president for information security at ITAA, said he expects cyber-security issues to settle in coming months. "There's going to be cacophony before there's harmony," he said. Garcia also warned against "oversimplified assertions," such as the view that cyber-security problems are the fault of software makers who fail to build sufficient protections.
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
