Feds, CIOs Unite on IT Security

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1406774,00.asp

By Dennis Fisher 
December 8, 2003   

In a major change of heart for both sides, government representatives 
and corporate CIOs are for the first time pledging to share more 
information with each other in an effort to improve security across 
the nation's critical IT infrastructure.

The coming together is the result of efforts over the last month by
the federal government - namely, the Department of Homeland
Security—to recruit the help of the private sector in implementing its
lofty NSSC (National Strategy to Secure Cyberspace). To accomplish
this, the DHS reversed its stance on certain measures of the NSSC that
were heavily criticized early on, such as the lack of private-sector
influence and the establishment of a repository of security data that
would reside with the government. Both issues are now not only on the
table but are also pushing the two sides together.

Government representatives and corporate CIOs met at the National 
Cybersecurity Summit in Santa Clara, Calif., last week and began 
crafting ways to implement the NSSC. During the summit, five task 
forces were organized around specific topics, such as early-warning 
systems and security in software development, and guidelines for each 
topic were developed.

In addition, DHS officials outlined a plan for information sharing 
that would involve the newly created organization US-CERT. US-CERT 
would create four or five reporting programs to alert organizations in 
various sectors about imminent threats such as worm outbreaks or 
widespread attacks. The organization would also provide tips and 
information on protecting against the threats.

Industry executives said the government is finally moving in the right 
direction.

"I think we're making progress on information sharing," said Chris 
Klaus, founder and chief technology officer of Internet Security 
Systems Inc., in Atlanta, and co-chair of the Technical Standards and 
Common Criteria task force at the summit. "We've been getting better 
information from [the government], and we've been working more closely 
with them."

There are also indications that the government may be willing to 
provide to the private sector some sensitive data gathered by 
intelligence agencies on a limited basis, sources said. This kind of 
openness and spirit of cooperation is an about-face for the 
government, which in recent years has been criticized by security 
experts for being slow and stingy in providing data. As a result of 
that criticism, the mandate for change has come down from the highest 
levels of the Bush administration.

"As we confront the crucial issue of cyber-security, it's important 
that our efforts follow a similar path," Tom Ridge, secretary of the 
DHS, said in a speech at the summit. "One where we share information, 
work together and close any gaps and weaknesses that terrorists would 
otherwise seek to exploit. Before 9/11, each separate sector of our 
nation's critical infrastructure had its own mechanism for sharing 
information, but there was no coordination between these industrial 
sectors."

But the change of heart by the government comes with a catch: 
Technology companies must do their part as well or face new federal 
cyber-security regulations. Private-sector security experts and CIOs 
overwhelmingly oppose formal regulations and say they are interested 
in cooperating with the government as much as possible.

"I think we're all ready to contribute now. We're willing to share as 
much as we can. We're all wide open on the government plan," said Ron 
Knode, director of global security solutions at Computer Sciences 
Corp., based in El Segundo, Calif. "But it's not fair for the 
government to say 'Gimme, gimme, gimme' and not reflect anything back. 
There are still some cross-purposes in government that make us anxious 
about sharing. We need to be unencumbered without some legal liability 
you have to think about."
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.