Public/private security partnership gets rocky

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,80704,00.html

By DAN VERTON 
APRIL 25, 2003
Computerworld 

WASHINGTON -- The changing of the cybersecurity guard at the U.S.  
Department of Homeland Security (DHS), coupled with complacency on the
part of some corporate executives, has put a higher premium on
information-sharing and cooperation between the private sector and the
government.

"The two words to focus on are cooperation and coordination," said
Richard Davidson, CEO of Omaha-based Union Pacific Corp., which
combats more than 80,000 probes on its networks daily. "That all adds
up to partnership and information-sharing, and that is our best form
of protection during these challenging times," said Davidson, who also
serves as chairman of the President's National Infrastructure Advisory
Commission.

Davidson spoke this week at a U.S. Chamber of Commerce conference in
Washington that addressed the roles and responsibilities of the
government and private sector in homeland security efforts.

Uncertainty stemming from the loss in recent months of critical
cybersecurity leadership at the DHS could escalate into danger for
private-sector companies, said Michael Hershman, president and CEO of
Decision Strategies LLC, an Oakton, Va.-based security consulting
firm.

Companies have started to slow their efforts to boost security because
there has been no terrorist activity recently, Hershman said.

"I'm afraid that they may be drawing back into complacency," he said.  
"In recent months, we've seen corporations stand back, reassess what
their needs are and try to understand what the level of threat is."

But a lack of effective communication between the corporate community
and government agencies has left companies trying to assess their risk
with little or no understanding of the threat, Hershman said.

"Corporations in America have spent billions of dollars for security,
with very little cost-benefit analysis," said Hershman. He noted that
the Bush administration has only added to the confusion regarding who
is ultimately responsible for critical infrastructure security by
assigning responsibility to industry while issuing more than 60
regulations since Sept. 11, 2001.

The lack of order and stability in the way the government currently
deals with the private sector -- a situation exacerbated by the recent
creation of the DHS -- is of immediate concern to Michehl Gent,
president of the North American Electric Reliability Council in
Princeton, N.J.

"We have a constant fight among agencies for the hearts and minds of
industries," said Gent, referring to the multitude of federal agencies
that regularly bombard private-sector entities with requests for
security information. "DHS is supposed to do that, and I'm looking
forward to them being more successful. But in the meantime, I have to
keep warding off [government agencies]."

Howard Schmidt, former vice chairman of the President's Critical
Infrastructure Protection Board, spoke on behalf of the DHS, saying
that information-sharing between the government and industry about
threats, incidents and contingency plans must improve.

One of the major obstacles to improving the public/private security
partnership remains deciding what needs to be done now and what is
part of the strategic vision, he said. "I feel in many instances,
we're trying to put a new coat of paint on the boat while the boat is
sinking."

Schmidt, who had been considered the front-runner to become the Bush
administration's top cybersecurity adviser, announced April 21 that he
is leaving government service after only 17 months (see story). The
former chief security officer at Microsoft Corp. played a key role in
drafting the Bush administration's National Strategy to Secure
Cyberspace, which was released in February. He has also been an
important figure in the administration's efforts to reach out to the
private sector, which owns and operates more than 85% of the nation's
critical infrastructure systems and facilities.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.