BOSTON -- National cybersecurity expert Andy Purdy says it's time for less hyperbole in Washington, D.C. and more action when it comes to defending the nation's critical infrastructure.
"We have not adequately made it clear to decision makers what it is they need to worry about and what they need to do about it."
- Andy Purdy, former federal cybersecurity czar
In the opening keynote at the SOURCE BOSTON 2010 security conference, Purdy called for a leadership committee made up of a mixture of government and private sector officials to help identify strategic priorities and take action on many of the lessons learned from the 2006 and 2008Cyber Storm exercises.
Purdy, who participated in the two exercises that tested the nation's response to a major cyberterrorism attack, said little has been done to take the lessons learned and apply them to implement better defenses and develop a more coordinated response. Much of the response to the exercises has been in the form of talk, he said. Many reports highlight deficiencies, but little action has been taken. Cyber Storm I cost $3.5 million and more than $6 million was spent on Cyber Storm II, Purdy said.
"Nobody followed up," Purdy said. "The challenge was to try to create visibility to get the government and private sector together … the opportunity for something like the outcome of Cyber Storm provides a roadmap for the private sector."
Purdy, who worked in the Bush Administration, was one of the cybersecurity experts who helped draft the U.S. National Strategy to Secure Cyberspace in 2003 and later, at the Department of Homeland Security, he served on the team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). He is currently chief cybersecurity strategist at Falls Church, Va.-based Computer Sciences Corp.
"To me, having experience is only valuable if we learn from it," Purdy said. "When I'm in one of those public-private partnership meetings, people say 'let's have more information sharing.' That's fine, but we have to set requirements. We have to go further than that."
Purdy said the new leadership committee would meet quarterly and bring all the key stakeholders together to help White House cybersecurity coordinator Howard Schmidt set goals. It could help create a framework and identify strategic priorities or milestones that can be set so the White House could track progress. The focus would take a risk-based approach to address preparedness, defend against malicious activity and foster research and development activities.
Purdy said the federal government must take steps to better identify priorities based on risk and sharpen plans that bolster business continuity and disaster recovery. "Stakeholder collaboration is critical," he said. You need those key stakeholders, who understand the information, to be engaged in an ongoing basis."
Experts in the private sector need to be embraced if the government ever expects to ensure that critical infrastructure, much of which is owned by private companies, is protected, Purdy said. While some experts say it could take a major cyberattack to get the government moving on issues, Purdy said a cyberattack won't result in getting any action. "Somebody will get blamed," he said. "We have not adequately made it clear to decision makers what it is they need to worry about and what they need to do about it."