Computer security in focus

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/7402121.htm

By Elise Ackerman
Mercury News
Dec. 03, 2003

As George Bush makes national security the watchword of his
presidency, some Silicon Valley leaders worry cybersecurity seems to
have slipped off the administration's radar screen.

Implementation of a highly touted ``national strategy to secure
cyberspace'' has been delayed almost a year. Billions of dollars
intended for cybersecurity programs -- to protect everything from
federal networks to home computer users from everyone from adolescent
hackers to cyberterrorists -- have not been spent. Two presidential
advisers for cybersecurity have left the government, one after only
two months.

Today, a group of lobbyists, business leaders, elected representatives
and security experts hope to refocus the administration's attention on
the risks of vulnerable computer systems at a ``National Cyber
Security Summit'' in Silicon Valley. Among those expected to be
listening at the Santa Clara Marriott are Homeland Security chief Tom
Ridge and Robert Liscouski, the Department of Homeland Security's
assistant secretary of infrastructure protection.

``I think everyone is frustrated by the lack of forward movement,''
said 3Com Chairman Eric Benhamou, who headed one of five
industry-sponsored task forces that will present a series of
recommendations at the summit for putting federal policy into
practice.

``Our goal has been to really encourage the senior people in the
department to make sure a high priority is given to this aspect of
security,'' said Rick White, president and CEO of TechNet, a
technology lobbying group that is one of four industry sponsors which
are paying for the summit.

``The threat is really very easy to understand,'' former cybersecurity
czar Richard Clarke told Congress last spring. ``If there are major
vulnerabilities in the digital networks that make our country run,
then someday, somebody will exploit them in a major way, doing very
great damage to the economy.'' Computer-powered systems managing
transportation, electric power, gas, manufacturing -- even 911 calls
-- could fail, Clarke said.

Presidential agenda

Past efforts by the tech industry to place cybersecurity on the
presidential agenda have been successful. In 1998 then-President
Clinton launched a federal initiative to secure cyberspace, appointing
Clarke as national coordinator for security, critical infrastructure
and counterterrorism.

In 2001, the Bush administration followed up, establishing a
high-level executive board to coordinate the federal efforts started
by Clinton. Last year, Clarke, who had been named a special adviser to
the president for cybersecurity, began aggressively promoting a new
White House blueprint for dealing with electronic threats known as the
``National Strategy to Secure Cyberspace.''

But the strategy was substantially weakened while being readied for
President Bush's signature. Two weeks before the administration
adopted it, Clarke resigned.

Howard Schmidt, former security strategist at Microsoft, stepped
briefly into the post before resigning two months later to become
eBay's security chief. After his departure, the responsibilities of
the cybersecurity czar were transferred to a newly created National
Cyber Security Division of the Department of Homeland Security.  
Momentum stalled while the department struggled to fill hundreds of
jobs. The division's new chief, Amit Yoran, a former executive with
Symantec, did not assume his post until mid-September.

``We lost some time,'' said Greg Garcia, a vice president of policy at
the Information Technology Association of America, a lobbying group
and summit sponsor. The other industry sponsors are the Business
Software Alliance and the U.S. Chamber of Commerce.

Five areas of attention

Garcia said the task forces are concentrating on five areas: raising
the awareness of individual computer users about the need to protect
their machines and update their software programs; creating a national
cybersecurity response system; establishing best cybersecurity
practices within companies and corporations; establishing best
practices with regards to technical standards; and reducing computer
vulnerabilities.

Though lobbying groups are underwriting the summit, Garcia said the
gathering was not a form of lobbying per se because the business
community is not asking for anything except implementation of
government policy.

In fact, one expert says the sponsors have aggressively sought to
shape cybersecurity policy, fighting off regulations that would have
required companies to disclose security vulnerabilities and their
level of cyber preparedness. ``The most powerful lobbying in the world
is deflection,'' said Alan Paller, research director at the SANS
Institute in Maryland, which focuses on cybersecurity training.

But Paller said the summit still could be useful if it raised the
profile of cybersecurity. ``The federal government has to lead by
example,'' he said, noting that one of the biggest improvements in
cybersecurity has happened in an area that was excluded from the
national strategy.

For instance, procurement officers at federal agencies have begun
requiring suppliers to deliver products that meet security benchmarks
established by the Center for Internet Security in Hershey, Pa. Karen
Evans, who as the Department of Energy's chief information officer
helped negotiate such an agreement with Oracle, now oversees
technology purchasing for the entire federal government at the Office
of Management and Budget.

Yoran praised Evans' approach. ``Industry's voice is one we listen to
and take into account,'' he said. ``But it is clearly not the only
voice. We are concerned with what is in the public interest.''

Yoran said today's summit will facilitate dialogue not only between
industry and government, but between users of security technology and
academic experts as well. The summit is a ``call to action,'' he said,
and a way of letting the public know ``we are now in operations
mode.''


----------------------------------------------------------------------
Contact Elise Ackerman at eackerman () mercurynews com or (408) 271-3774.
 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.