Behind The Firewall: Greg Garcia, the recently appointed assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security, made his debut in the security community at last week's RSA Conference and if you closed your eyes, you could have been forgiven for wondering whether it was Garcia, Richard Clarke, Amit Yoran or any of the others who have passed through that office in the last five years who was speaking.
Garcia wisely appealed to the security professionals and vendor reps in the audience by saying that the government needs the help of the private sector to make the Internet more secure and that information sharing is vital to the success of this effort. He specifically asked companies to join the ISACs (Information Sharing and Analysis Centers) in their industries in order to help the government gather more data on attacks, intrusions...
and other common problems. Garcia also made a point of saying that he wants to work with other federal agencies to develop government-wide security policies as an example for the private sector.
All of this makes perfect sense. And it made perfect sense in 2002 when it was initially put forth in the National Strategy to Secure Cyberspace, the massive document that has hung like an albatross around the neck of every successor to Clarke, who spearheaded its creation. President Bush himself wrote in a letter that accompanies the national strategy that he believes public-private partnerships are vital to the success of the plan. "The cornerstone of America's cyberspace security strategy is and will remain a public-private partnership. The federal government invites the creation of, and participation in, public-private partnerships to implement this strategy. Only by acting together can we build a more secure future in cyberspace," Bush wrote.
In fact, very few of the provisions in the strategy have been implemented in any meaningful way, and every man who has followed Clarke has ended up leaving in frustration over the government's seeming indifference to information security issues. Publicly, they all parrot the company line that cybersecurity is a top priority and they need the private sector's help to accomplish their mission. But privately, these men say that it doesn't matter how much support they get from the private sector because information security is so far down the list of priorities in Washington that it's a non-factor.
Partnership efforts have come and gone, but few have had any real success. Several of the ISACs have regularly scheduled status calls with DHS officials, but private sector executives involved in those meetings say that little comes of them, aside from requests from DHS for more meetings and more data. So there's not a lot of actual sharing going on.
It's hard to see how any of this will change anytime soon, either. But Garcia may have a better shot than any of his predecessors. He's known in the security community through his work at the Information Technology Association of America and National Cyber Security Partnership, but he's not a career techie. He's a policy-maker who once worked for the House Committee on Science, and as such knows his way around the corridors of power in Washington. And that kind of insider's knowledge is just what's needed to get things moving.
But the clock is ticking. The Bush administration's eight-year roller coaster ride ends in a little less than two years, and whoever occupies the Oval Office next is likely to put his own team in place at DHS. So time is running short for meaningful action. No time like the present to get started.