To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
President Obama's announcement last week of the creation of a White House senior cybersecurity coordinator has put a dramatic shift in emphasis on critical infrastructure protection that is long overdue -- the country runs on networked applications and other countries have targeted critical elements of the U.S. infrastructure.
The White House action is a result of the Cyberspace Policy Review, a 40 page document summarizing the findings of a 60 day cybersecurity task force. There are many tasks that the soon-to-be-named cybersecurity czar will have to tackle, but the relationship and assignment of responsibilities between the government cybersecurity team and enterprise IT organizations and security vendors in the private sector is particularly important if the mission of critical infrastructure protection is to be successful. There were ideas expressed in the Cyberspace Policy Review that are worth calling out:
VIDEO: Face-Off: Who should be in charge of cybersecurity? Schneier and Marcus Ranum debate who should be in charge of national cybersecurity.
Cybersecurity's profile rising under Obama: The Obama Administration is conducting a review of the government's cybersecurity policies and process. We should be encouraged that security could move beyond the useless paper exercise it is today.
Lift the cloak of secrecy from security. Organizations seldom talk publicly about their security programs or even which security products they use for fear that too much information will be given to intruders who can then plan and launch a targeted attack. The effect inhibits peer review of security architectures, open dissemination of security best practices, and an efficient market that constantly improves the state of the security art. Government agencies can sponsor security advisory panels comprised of IT peers from large enterprises that are securing complicated business infrastructures. With the proper controls, the private sector would be willing to share its best practices with the public sector to accelerate enhancements to critical infrastructure protection.
Certify ratings for secure products. The government can work with enterprises and vendors to establish a standard security ratings system for computing products. A security rating would be consistent with standards such as testing for EMI/RFI emissions and UL testing for ensuring devices do not adversely impact the electronic environment. While there would be no guarantee about the number or severity of undiscovered vulnerabilities, consumers would still have an independent baseline assessment of a product's security strength for comparison before purchase and deployment. The federal government could then lead by example with procurement rules requiring high security ratings for software and hardware products.
The cybersecurity czar needs to carefully choose the early initiatives. Item 10 in the proposed near-term action plan recommends: "Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation." This could be a national identity card service to authenticate users, license service for registration of domains, facility to identify devices on the network, or something new. In any event, it is a major undertaking that has a lot of momentum. This is a challenging place to start, with few apparent best practice contributions from private sector enterprises to shorten the learning curve. Let's hope the cybersecurity czar is a good juggler of security priorities.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.