Experts Focus on Future of U.S. Cybersecurity
Whoever becomes our next president will inherit a cyber infrastructure under
almost constant attack and at greater risk than eight years ago, and a handful
of experts and legislators have come together to ensure that cybersecurity has
a high priority in his or her administration.
The Commission on Cyber Security
for the 44th Presidency, set up in November by the Center for Strategic
and International Studies, held the second of five planned public meetings Monday
to hear recommendations on issues of information security, identity theft and
Cybersecurity is not a technical issue, panelists said, but a matter of culture,
education and self-interest. Government cannot regulate information technology
security, and industry cannot do the job by itself. Forging the public/private
partnership needed to provide adequate security will require leadership in both
government and industry. Cooperation between the two spheres may not be easy
to come by, said John Koskinen, who spearheaded the government response to the
Year 2000 Transition.
"The private sector is always nervous about what the government is up
to," Koskinen said. Business deals with security in terms of business
cases and managing acceptable risk, while government tends to deal in regulatory
absolutism. And information sharing is always a challenge. The advice of corporate
general counsels is generally "Don't tell anybody anything."
But the Y2K transition showed that effective cooperation is possible if government
acts as a catalyst to establish priorities and bring different sides together,
The nonpartisan think tank established the commission "to develop recommendations
for a comprehensive strategy to improve cybersecurity in federal systems and
in critical infrastructure." Its goal is to have a package of recommendations
ready for the next president by November. Cybersecurity will be vying with numerous
other domestic and international, economic, security and political issues for
the presidential transition team's attention. Establishing it as a high
priority will require putting it on the legislative and policy agenda from the
beginning of the administration, organizers say.
Co-chairmen of the group are the former director of the U.S. National Security
Agency, ret. Adm. Bobby Inman; Scott Charney, vice president of trustworthy
computing at Microsoft; Rep. Jim Langevin (D-R.I.), chairman of the Homeland
Security Subcommittee on Emerging Threats, Cyber Security and Science and Technology;
and ranking Republican Rep. Michael McCaul of Texas. Members of the commission
include Amit Yoran, formerly top cybersecurity official at the Homeland Security
Department; Orson Swindle, formerly of the Federal Trade Commission; and Marty
Stansell-Gamm, former head of the Department of Justice's computer crimes
division; in addition to a number of industry executives.
There was not complete agreement among panelists on cybersecurity priorities.
They agreed that a single national data breach notification law is needed to
replace the current patchwork of 40-plus state laws. Although Lisa Sotto, a
partner at the law firm Hunton and Williams, called for federal preemption of
state laws, David Mortman, chief information security officer-in-residence at
Echelon One, wanted federal law to set a baseline for breach notification without
precluding stiffer state requirements.
Julie Ferguson, vice president of emerging technology at Debix, called for
a zero-tolerance policy for identity theft enforced by required verification
of online transactions with consumers. Jay Foley, founder of the Identity Theft
Resource Center, called for creation of a national death registry and for the
Social Security Administration to create a database tying Social Security numbers
with dates of birth to help prevent misuse of the numbers even though efforts
are being made to stop their use as a unique personal identifier.
Pamela Fusco, executive vice president of security solutions at Fishnet Security,
said she wanted to establish an International Data Classification Standard that
could help identify and assess value and risk to data. This would improve business
practices and help put teeth in government regulation, she said.
"Information is not being identified as essential," Fusco said. "We're protecting
machines, we're protecting access, we have not developed standard ways to classify
and prioritize the information that underlies them."
William Jackson is the senior writer for Government Computer News (GCN.com).