Feds urge tech firms to assume cybersecurity leadership

The technology industry needs to make a more concerted effort to boost its own cybersecurity as lawmakers, organizations and companies look to industry leaders to contribute to the homeland security strategy, federal officials said Wednesday.

The focus on cybersecurity has heightened since the Sept. 11 terrorist attacks, especially because many companies had little or no methods of data recovery to keep their technology systems working. Federal and state lawmakers also are increasingly concerned about cyberattacks that could threaten critical infrastructures like electricity grids and telecommunications networks.

"There's an underlying sense that the market isn't going to respond well to this," John Tritak, head of the Critical Infrastructure Assurance Office (CIAO), said at an Information Technology Association of America and Computer Sciences Corp. cybersecurity conference. "There's actually an opportunity to demonstrate that those fears are exaggerated by recognizing what the responsibilities of private industries are" and recognizing where they need federal help.

Tritak said industry input is essential to the homeland security effort being headed by White House Homeland Security Director Tom Ridge, with help from White House cybersecurity adviser Richard Clarke, Tritak and others. Tritak said that in a recent meeting, industry representatives for the first time acknowledged that a cyberattack that could hurt service delivery is their No. 1 fear.

Tritak said that Sept. 11, if nothing else, "convinced private industry that cybersecurity and homeland security is a business concern." He warned that government might intervene if industry fails to provide that security, and that CIAO has become the "designated piñata" to pull together industry and the federal government. "I'm hoping this national strategy we're putting together isn't going to be a coffee-table book," he said.

Even industry leaders acknowledge the shortfalls. "We can build all the technology in the world to secure things, but unless you apply it, it doesn't work," said Internet founder and WorldCom executive Vint Cerf. "Security is inconvenient. People don't like it ... but they need to get into the habit."

"We're not on the road yet, we're not on the freeway" when it comes to security, SecurityFocus CEO Arthur Wong said. "As a matter of fact, we're not even out of the driveway."

RSA Security CEO Arthur Coviello said the federal government, for the most part, is doing a "good job" at enhancing security with the use of digital certificates and various authentication technologies, such as public key infrastructure (PKI).

He said the recent update of encryption standards also is important. "I think that's another great way government can help," he said. "Pushing standards--that's what helps interoperability."

Microsoft security chief Howard Schmidt said he hopes government security efforts such as GovNet will use a at least a minimum level of PKI and build on that with industry input to ensure maximum security. Treasury Department CIO Jim Flyzik said Schmidt "was coming to the government in January." Schmidt is expected to take a senior position under White House cybersecurity adviser Clarke. Schmidt, however, did not confirm this.

"Security is a journey," Schmidt stressed. "It's not a destination."