Industry officials sketch priorities for DHS cyber czar

Greg Garcia, the long-awaited cyber-security czar, starts his job at the Homeland Security Department next week, and industry and technology organizations already are encouraging him to take on "a smaller set of priorities" so he does not get overwhelmed by the vast to-do list.

Those priorities, according to Kevin Richards, government relations manager for Symantec, should be "mitigating or preventing a major cyber disaster and articulating a clear chain of command between government and the private sector."

With 85 percent of the nation's critical infrastructure in private hands, the government knows it needs to work with private industry. It has had numerous meetings since the Sept. 11, 2001, terrorist attacks to discuss what kind of policy should be enacted. "What industry has been looking for, waiting for, is leadership," said Franck Journoud, manager of information security policy at the Business Software Alliance.

"There are a lot of ideas on what's needed; now they just need to do it," Journoud added. "For all these things to happen, what's needed is coordination."

Paul Kurtz, executive director of the Cyber Security Industry Alliance, said Garcia and other leaders at the department need to move "very quickly" to set a short list of priorities on communications and cyber security.

Kurtz said his organization sees four priorities. The first is mitigating the risk with a more aggressive research and development program to build secure information systems. Kurtz said that of the nearly $1 billion budget Homeland Security has for its science and technology program, $20 million of that in fiscal 2007 is dedicated to cyber security.

The next priority is an early-warning system. Kurtz said the largely voluntary early-warning information from the private sector is not enough and added that department officials "need to develop their own information flow like [the Defense Department] has that shows the level of security on the networks they depend on."

Richards wants an early-warning system like National Oceanic and Atmospheric Administration has for hurricanes and a communications system to alert stakeholders. He said there is good communication among agencies but not as good from the government to the private sector.

The third item on Kurtz's list of priorities also involves communications in an emergency. He said a scenario where computer bandwidth is reduced could mean trouble getting dial tones for Internet-based calls.

The fourth priority is a plan to recover the Internet after a disaster and what to do during that interim. Part of that plan likely will include how to prioritize high-speed Internet traffic if bandwidth is reduced.

"A lot of people predict [that] in a major cyber-security event, the Internet will not be black but [will] have very little bandwidth going through," Richards said. He and others agree that is an area where government likely would need to resolve conflicts and develop a priority list.

Kurtz said he hopes the planning stage can move quickly so that by the next federal budget cycle, the debate is about resources for specific programs to improve cyber security.