DHS secretary pushes industry to invest in cybersecurity

If industry fails to team with the federal government to address national cyber concerns, consumer trust could deteriorate, bringing dire consequences like the recent fallout in the financial market, said Homeland Security Secretary Michael Chertoff on Tuesday.

Reports estimate that industry owns and operates more than 85 percent of the United States' critical infrastructure, which makes cybersecurity a shared responsibility between government and the corporations that control most computer networks, Chertoff said during a forum at the U.S. Chamber of Commerce.

"The failure in even one component, or one link in the chain, can have cascading effects," he said. "Just look at what's going on in the financial market, which is a too dramatic illustration of what happens when there's a failure of trust. … If ordinary consumers lose confidence in the systems, business suffers and fails."

As attacks increase in frequency, sophistication and scope, Chertoff said, government will focus on three areas:

• Cyber threat detection and mitigation, primarily through the second and third generations of Einstein, an automated system that collects, correlates, analyzes and shares computer security information.
• Education on policies and practices to help reduce insider threats.
• Improving safeguards in the global supply chain to ensure computer components delivered to federal agencies are free of vulnerabilities that could expose systems to attacks.

The latter effort, in particular, requires a partnership between industry and government.

No one "can presume that in every country they keep commercial interests separate from national interests," Chertoff said. "We need to come up with ways to validate the security of hardware and software. Private industry has begun initiatives to inject quality controls. Government won't come up with a kind of FDA for computer components [that regulates the market], but we can encourage these types of efforts."

DHS also plans to work with industry to improve existing cybersecurity efforts. In May 2007, the department announced completion of 17 sector-specific plans under the National Infrastructure Protection Plan, which defines roles and responsibilities for all levels of government and private industry in case of a terrorist attack or disaster. Each set of guidelines is customized to address the unique risks of a particular field, such as the chemical industry, or nuclear reactors, materials and waste. DHS will collaborate with each sector to identify cyber risks and work with corporations and organizations to establish priorities and milestones that can help chart progress.

"This is an invitation, not a mandate. We're not in the business to say to industry, 'You must do this,' " Chertoff said, noting that federal funding is not readily available to finance private sector cybersecurity initiatives. "[But] I have no doubt lawyers will tell clients that it would behoove them to make these investments."