Panel urges cooperation on cybersecurity

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,76610,00.html

By Michael Hardy
IDG News Service
DECEMBER 11, 2002

Protecting financial institutions from cyberattacks requires
increasing levels of cooperation between the government and the
private sector, panelists said yesterday at a conference in Washington
called Homeland Security 2002: Establishing a Culture of Cooperation.

Many of the conference's sessions emphasized such cooperation, which
is being fostered by changing mind-sets in both government and the
private sector.

In the financial services world, the responsibility for keeping up
with threats -- and the technologies that can help guard against them
-- rests with the banks and investment houses, said Richard Marshall,
deputy director of the Critical Infrastructure Assurance Office, one
of 22 federal agencies that will soon become part of the U.S.'s new
Department of Homeland Security.

"The scope of change, the pace of change is just too quick for
government regulators to keep up with," he said. "This has got to be a
self-curing issue."

The key for financial firms is business continuity, he said. The
threat might be electronic, or it might be a physical attack or
disaster. Either way, a firm must be sure that it can continue
operating, protect its customers' privacy and anticipate problems in
time to prevent them.

Marshall's agency is working on the finishing touches to the National
Strategy to Secure Cyberspace, a collection of best practices that
business are invited -- but not required -- to follow in implementing
security programs. The public comment period on the document closed
last month, and Marshall said he expects President George W. Bush to
approve it early next year.

"We don't pretend to know all the answers, but we believe that
together we can help come up with some intelligent solutions," he
said. "And we realize that it's not going to be government-down. It
has to be 'Let's join hands and work together.'"

Financial services firms in general are ahead of other private-sector
industries in securing their information, but they aren't where they
need to be, Marshall said. "You need to raise the security bar," he
said.

The technological challenges are formidable, said Dale Hazel, senior
vice president of marketing at Convera Corp., a software company that
makes search products for businesses. More than some other types of
businesses, financial institutions store massive amounts of data, he
said. Terabyte measurements are common, and he said he has seen some
databases that exceed a petabyte, or 1,000 terabytes. Such mountains
of information stretch the limits of system scalability, he said.

Meanwhile, companies don't have a good handle on how to balance
prudence with overzealousness, said J. Michael Gibbons, a former chief
investigator of computer crime for the FBI, now a senior manager at
consulting firm BearingPoint Inc.

"Those of us in homeland security all just want to understand how much
security is enough," he said. "We want the truth, and the quest for
the truth is the most difficult thing we face."

Inside financial firms, executives see the wisdom of spending money on
security, said Leigh Williams, senior vice president and chief privacy
officer at Fidelity Investments Inc. His company spends about $1
billion per year on technology, much of it security-focused, and
believes that the cost is worth the payback.

"We have for a long time expected a return on our business-continuity
efforts," he said. "We do believe that before the September attacks,
it made a lot of sense to invest very heavily in protecting the data
and systems customers rely on. I don't think that has changed at all
in the last couple of years."

What has changed, Williams said, is the approach to the problems.

"Before September of 2001, we approached security in a very fragmented
way. We tended to split data security from physical [security]," he
said. Since then, the company has come to see both physical and
cybersecurity as part of the same issue.

Fidelity has integrated itself more closely with financial services
firms, smaller banks and other institutions, Williams said. "We're
operating more as an industry and less as a collection of firms," he
said. "And with that, industry is now better connected to government."

During the past couple of years, financial trade associations --
including the Securities Industry Association, the Investment Company
Institute "and a dozen other trade associations" -- have consolidated
their efforts to interact with government through a new group they
formed called the Financial Services Sector Coordinating Council,
Williams said. Meanwhile, government agencies and regulators have also
been consolidating power.

"Instead of there being hundreds of us talking at once and getting
nothing done, we've become much more tightly integrated," said
Williams.

Fidelity plans to sustain its high level of investment in security.  
"It takes a pretty good bite out of our bottom line," he said. "We do
it because we think it will offer us some payback."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.