SAN FRANCISCO -- Four months into his new job as the nation's cybersecurity chief, Greg Garcia is busy promoting...
the public-private partnership that's core to the National Strategy to Secure Cyberspace.
Since it was published four years ago, the strategy has mostly gathered dust while federal cybersecurity chiefs came and went and the Department of Homeland Security focused more on physical security. Garcia, formerly a vice president at the Information Technology Association of America, was appointed DHS' first assistant secretary for cybersecurity and telecommunications last September.
At last week's RSA Conference, he told a packed house that cyberthreats will grow and that government, enterprises and academia need to work together to meet the formidable challenge.
"We are all too interdependent to do this independently," he said.
Within the next 10 years, most of the world's communications likely will be handled by a single converged network, Garcia said at the conference. A proliferation of devices connecting to this network will result in a "breeding ground for security problems."
Garcia urged organizations to perform vulnerability assessments on their networks and to "fix what needs fixing." He also recommended companies get involved in the industry groups such as the IT-ISAC (Information Sharing and Analysis Center).
One of his priorities is working with other federal agencies to develop common security policies. "So we can raise the bar and lead by example," he said.
Another priority for Garcia is driving a risk assessment of the nation's critical infrastructure described in the National Infrastructure Plan, which was released last year.
U.S. CERT also is working closely with IT-ISAC and the National Coordinating Center of Telecommunications in order to have a coordinated response to cyber attacks, Garcia said.
During his speech, Garcia suggested that incentives should be explored to drive investment in security. In an interview afterwards, he said incentives such as lower insurance rates for implementing security need to be explored.
"We're not talking about a regulatory model her but about tweaking the marketplace," he said.
An RSA attendee, William Kaminsky, a security consultant based in Walnut Creek, Calif., said Garcia's talk was a start in the right direction.
"It certainly looks like he's going to try to get things going," Kaminsky said.
However, he added, companies need motivation to invest more significantly in security, which often boils down to regulation.