Do you get feedback from the private sector as to what DHS should be working on?
Sachs: We get a lot of feedback. We try to get to as many events as possible, such as the North American Network Operators Group. It gives us the opportunity to talk with several hundred ISPs, equipment manufacturers and other vendors that are there. We've also hosted some emerging security technology forums. We just had a tech forum with about 75 CEOs, CFOs, CIOs and others from around the Menlo Park area, who gave us some really neat ideas on things that they would like to have Homeland Security working on. Plus, from the corporate side, the ISPs, the telecoms and others are working with us on collaboration teams to provide DHS with the input for projects like DNS Sec, secure routing projects and others.
How do enterprises benefit from sharing information with DHS?
Sachs: Enterprises bring some really good stuff to the table. There's a lot of expertise in the enterprise world. There's a much broader view into what's happening commercially as well as what's happening with their customers. What the government brings to bear is the ability to integrate a lot of that information and facilitate cross-sector sharing that normally wouldn't happen within organizations or even within the same sector.
So, let's say you have two banks. The ability of those two banks to cooperatively share information is hard, but if both of them have shared with the government and the government can share a larger sector view point back, then they benefit from the fact that the government acts as the safe mediator. Plus, the government can bring in test beds and other types of expertise that the private sector may be limited or restricted to because of regulatory requirements and other restrictions that they might be under.
What role does the private sector play in DHS' research projects?
Sachs: Homeland Security gets its requirements from several places. To satisfy those requirements, we have to partner with the general public, with industries, with academia and many others. There are a number of companies that Homeland has funded. We work directly with these companies. They bring to us great insight because these are real life companies--these are not just little start-ups. They're out there making money and struggling just like everyone else is. They are our forward observer eyes--those organizations that are way out in front and can bring back some good intelligence tell us what's really happening in the business world and can tell us what the real requirements are, not necessarily what the bureaucrats might see.
How does the private sector benefit from the research being done by DHS?
Sachs: It's imperative that those who work in the computer security world know that this research is not just about doing science and technology just for computer science's purpose. It's literally to save the Internet from itself. We are trying to create an environment where we can have e-commerce, trusted cyberspace, all the things we were dreaming of in the 90s when the dot com bubble was exploding but we can't have today because of all the insecurities. We risk losing all that stuff if we don't figure this out pretty quickly. That's where DHS and others in this space come together--seeing that vision of the future, recognizing that we can rebuild the Internet as securable as possible. But it has to be done not just by the government but as a true partnership. It's a public-private effort. The Internet doesn't belong to anyone in particular. It's not run by the US Government; in fact, it's not run by any government. It's run by everybody that uses it, and that requires everybody using it to step up to the plate and think about security.
How can security practitioners make a difference in the state of cybersecurity?
Sachs: The biggest thing the enterprise leader can do is set policy. Set forth good rules of the road to tell the employees exactly what they should and shouldn't be doing with their systems. And this is not something that starts down inside the server room. Good policy management starts up at the board of directors, starts with those who understand the risks to their company, the financial risks, the operational risks, the risks of staying in business tomorrow. Take all of that as good policy and then it makes it fairly straightforward for the network admins to know what their rules of the road are: what firewall rules to build in, what to look for in the IDS logs, what services to turn on or off. All they have to do is translate that policy into a technical way of doing business and their networks will be much more secure than their next-door neighbor's networks. The way we see most threats work their way out on the Internet, particularly those that are human generated, is they tend to go for the weaker target. So if you are more secure -- you'll never be perfectly secure -- but if you are more secure than somebody next to you, the threat goes after your neighbor and you live to fight another day. So, while perfect security is not attainable, you get pretty close if you start with good policy, good user education and awareness, and apply the technical best practices to bring all that into being.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.
This was first published in December 2005