Sharing called key to cyber plan

National Strategy to Secure Cyberspace

The sharing information and responsibility is key to the success of the public/private partnership envisioned in the Bush administration's draft National Strategy to Secure Cyber Space, experts said Sept. 24.

Security experts came together at a forum sponsored by the Cato Institute to share their views on how government and industry should share responsibility for securing the Internet, information technology products, and networks across the country and around the world.

There is widespread agreement that government cannot be solely responsible for the cybersecurity of the critical infrastructure, such as the telecommunications and banking sectors. But, said Scott Charney, chief security strategist at Microsoft Corp., the question remains: How can government encourage companies to meet their responsibility to secure what they own and operate?

"The fact is, it's difficult for government and industry to figure out who is responsible for what," he said. Charney served as chief of the computer crime unit at the Justice Department until earlier this year.

Not all of the details are complete for the steps to promote the improvement of infrastructure security, and many people have criticized the cybersecurity strategy for leaving out important issues and means of enforcement.

That, however, is why the document is open for comment until Nov. 18, said Ken Silva, director of networks and security at VeriSign Inc. And if measures really need to be added or put back in — and if the public pushes hard enough — they will be included, he said.

One key step in improving security is for organizations to share information about vulnerabilities and threats. However, such sharing doesn't occur as much as it should, considering the many mechanisms created for that purpose in the public and private sectors, Silva said. Government and industry must focus on improving that poor record, he said.

In order for information sharing to progress, all parties must understand how it brings value to their mission or their business, said Andrew Purdy, senior adviser for IT security and privacy on the President's Critical Infrastructure Protection Board, which led the development of the cybersecurity strategy.

But information sharing will not really be able to help until government and industry develop the ability to analyze the information, detect patterns, and act to prevent and recover from attacks, Purdy said.