Panelists struggle to find answers to cyber threats
Greg Garcia, the cyber-security czar for the Homeland Security Department, said that when customers or partners refuse to do business with companies that do not meet certain cyber standards, "that's when the groundswell [for improving security] is going to come."
Speaking Thursday to the Armed Forces Communications and Electronics Association, Garcia also did not rule out having his department someday bestow the equivalent of the "Good Housekeeping seal of approval" on systems that meet certain criteria.
At a panel discussion following Garcia's speech, Larry Clinton, the chief operations officer for the Internet Security Alliance, expressed frustration with getting companies to comply with best practices in cyber security.
Clinton also railed against a voluntary standardization and accreditation program that would be created under a broad security bill, S.4, being debated this week in the Senate. He questioned whether it really would be voluntary.
"I'd suggest if it really will be completely voluntary, it really will completely fail," Clinton said. "Industry doesn't need a federal law to tell us we can voluntarily comply with standards that we have voluntarily created."
He and others on the panel want government to encourage companies to adopt best practices. Clinton cited a PricewaterhouseCoopers study that said firms using them did not face the downtime and revenue loss as others even though they faced the same number of attacks.
Panelists said incentive programs had worked for other industries like agriculture or for flood insurance. They also said better information-sharing about cyber attacks is needed but were at a loss for how to do it.
"The liabilities with sharing are huge," said Al Edmunds, president and CEO of Edmunds Enterprise Services. While information technology departments want to share information, they are blocked by their own companies' legal departments, he said.
Another impediment to sharing information on attacks is privacy concerns, said John Nagengast, a program director for AT&T.
Edmunds said, however, that companies are doing better at protecting themselves but ultimately will need to do more to protect the rest of the system.
Jerry Dixon, who works for Homeland Security's cyber division, said businesses also need to test their disaster-recovery plans by actually operating on them. He said it is "amazing" how many businesses have never done that.
Karl Brondell, a consultant for the Business Roundtable, said the nation needs a better early-warning system for attacks and a plan for who does what when recovering from a major attack. He said institutions that have a role in that now are "clearly stepping over one another's feet."
COMMENTS
- Mr. Clinton hit the nail on the head. As long is as compliance with a cyber security standard, or any standard for that matter, is voluntarily, the effort is doomed to fail. That dog just won't hunt. There must be incentive -- some type of reward system for compliance (tax credits perhaps) -- and some type of penalty for non-compliance. Until here is incentive to comply which can be translated into a business case, compliance with any national cyber security standard will only continue getting lip service at best. As for a national cyber attack response plan to avoid fratricide in the cyber defense campaign, it is way past time to have the roles and responsibilities ironed out. In the case of a physical attack, we have a pretty good idea about how to deal with it; although there will be unavoidable problems with execution. We at least have a fairly well established paradigm for how to respond. If there were to be a large scale cyber attack against the US information technology infrastructure, we don't really have a clue because various agency roles and responsibilities, along with civilian contribution/participation, have not been clearly articulated. It's time to "git er done."! Jim Wingate Posted March 5, 2007 8:03 AM
