Former officials assess security needs on cyber front

A panel of former government experts in cybersecurity on Wednesday assessed the need to address that issue.

At a Center for Strategic and International Studies conference, Ronald Dick, director of strategic initiatives on information assurance at Computer Sciences Corp., identified several drivers to improving cyber security and protecting critical infrastructures. Dick once headed the FBI's National Infrastructure Protection Center, whose functions were absorbed into the Homeland Security Department this year.

Dick said the level of awareness of cybersecurity issues is high, with reports of failures to protect information circulating every day. He said regulations, standards and even legislation on the matter are proliferating.

He also cited "rumblings" in the legal community about challenging the law that protects companies from liability even if something happens involving their homeland security technology. And there is an increasing attention to including safety procedures in cyber products, much like safety belts eventually became required in automobiles.

Philip Reitinger, senior security strategist at Microsoft, said the recent "brain drain" of top government cyber experts means getting "the right folks" in place is a top priority. Reitinger also pointed to the need for incentives for agencies to better protect cybersecurity, and the need for appropriate technologies.

He suggested that government support the private sector's efforts to protect critical infrastructures by identifying the gaps between what the marketplace will take care of and what is needed. Then it should determine the best way to close that gap with "tailored" government action that poses the least possible intrusion into the marketplace.

John Tritak, former director of the Critical Infrastructure Assurance Office, which also was absorbed into Homeland Security, applauded the creation of a cybersecurity division at the department because he said some high-level officials did not see the need for it. "It was not a foregone conclusion," he said.

"If anyone's going to be kept up all night worrying about cybersecurity, then it better be the Department of Homeland Security," he added.

Tritak said the department needs to "translate cyber risk into corporate risk" by helping top executives see the importance of it, "or the gap between where the market will go and what is needed is going to be wide."

He said the national plan the department is mandated to develop would be the "ultimate" guiding government document on cybersecurity.

Panelists also said the private sector would be more encouraged to share security information with the government if it received more-and more compelling-information on threats.

Stewart Baker, a partner at Steptoe and Johnson, said he was alarmed by statutory language that lets the federal government share private-sector information about cybersecurity with foreign governments as long as the information is considered part of an investigation. "There is a lot of reason to be worried about that," Baker said.