Feds, industry form security alliance

SANTA CLARA, Calif. — Federal and industry officials unveiled a strategy last week for cooperating on security initiatives, which has been one of the more elusive elements of the Bush administration's national cybersecurity strategy.

The plan, introduced at the National Cyber Security Summit held in Santa Clara, Calif., includes five task forces that bring together experts from the public and private sectors.

These tasks forces will develop a plan for addressing common concerns from the two communities.

Organized by officials from the Homeland Security Department in conjunction with four industry groups, the summit focused on the information technology market, but the actions and initiatives officials agreed to develop will be used across all sectors and within government, said Amit Yoran, director of DHS' National Cyber Security Division within the Information Analysis and Infrastructure Protection (IAIP) Directorate. One of the most obvious areas for mutual improvement is to develop a better security alert and warning process, he said.

A key goal for the summit was to move beyond the longtime theme of public/private partnership and begin taking real steps. In other words, DHS officials wanted proof that industry could back up its security talk with action.

"Partnership means more than just saying we're working together.... We need deliverables, we need metrics," said Robert Liscouski, assistant secretary for infrastructure protection in IAIP.

One of the questions people most often ask is whether industry leaders are helping improve the nation's cybersecurity or if they're dragging their feet. DHS officials need to provide a positive answer and specific examples, Liscouski said. "If we can't tell that story, I can tell you there are a lot of people out there willing to legislate compliance," he said.

Experts from government and industry at the event offered several reasons why improvement could happen now when similar proclamations and visions in the past have resulted in little or no change.

The chief executives at companies across the country are finally feeling the pain and the threat of cyberattacks, said Eric Benhamou, chief executive officer of 3Com Corp. Security incidents are no longer something that happen to other people, and they can't be ignored, which means that they must be dealt with on par with other corporate concerns, he said.

Additionally, the DHS' mission provides an added impetus that had been missing in years past, said Sallie McDonald, director of strategic partnership within IAIP.

But if this really is the turning point, it's still not going to be easy, Liscouski warned. "This is a long-term journey. You should not be mistaken and think that this is going to happen overnight," he said. "We're going to have problems and there are going to be bumps in the road."

Each task force has until March 1 to develop specific measures that will be implemented under DHS' supervision, but officials have already identified several steps to make progress quicker.

For example, the Cyber Security Early Warning task force plans to complete the draft of a comprehensive plan to identify information needs and establish guidelines for handling that information by the group's next meeting on Dec. 17, said Guy Copeland, co-chairman of the task force and vice president of information infrastructure advisory programs at Computer Sciences Corp.

That straw man document will be the basis for the real, practical solutions to be reported in March.

But leaders also told members of the task force to develop a one-page proposal within the next two weeks for a small implementation within their own organization that could represent a "baby step" toward larger solutions, he said.

Whatever warning solutions are developed will definitely help federal agencies, experts said. Also, more security-conscious software development practices will result in better commercial products, and greater security governance will cut down on vulnerabilities in the partners that agencies connect to through e-government, said Ed Roback, chief of the National Institute of Standards and Technology's Computer Security Division and co-chairman of the Technical Standards and Common Criteria task force.

The entire process will take time, and government has not ruled out stepping in with some sort of regulation or legislation, Liscouski said.

"We are not going to let anybody who operates in this space dodge their responsibility," he said.

***

The tasks at hand

The five task forces formed by government and industry under the Homeland Security Department focus on different segments of the problem of securing the United States against cyberattacks.

Awareness for Home Users and Small Businesses: Expand on existing outreach programs such as Stay Safe Online and Cyber Citizen.

Cyber Security Early Warning: Begin to develop a national cybersecurity response system, including implementation objectives for the U.S. Computer Emergency Response Team.

Best Practices and Standards — Corporate Governance: Establish guidelines and best practices for cybersecurity roles and responsibilities within organizational management structures.

Best Practices and Standards — Technical Standards and Common Criteria: Develop new tools, technologies and practices, such as secure configuration guides, to reduce vulnerabilities across all sectors.

Security Across the Software Development Life Cycle — Secure Software: Find new methods to reduce vulnerabilities included in products during development, including determining how to teach building secure software.