SAN JOSE, Calif. -- The insecurity of the United States' critical IT infrastructure -- financials, energy, water, government -- has been elevated in the consciousness of the country's information technology professionals.
But has securing those crucial IT segments been made a priority beyond the data center? And can security come without violating privacy?
"[Security] needs to be a corporate priority, not just an IT priority," said Bruce Heiman, executive director of Americans for Computer Privacy, and a Washington D.C. veteran. "Much in the same way as the anthrax letters moved postal security out of the mailroom to the boardroom. I hope it does not take a cyber attack to move this to the attention of senior-level management."
Heiman is speaking at this week's RSA Conference 2002 on the state of cybersecurity in D.C. One of the RSA show's principal themes is cybersecurity post-September 11. Heiman's group is a coalition of technical companies and individuals who were in the lead during the fight to liberalize export controls on encryption products. For two years, the group's attention has shifted to cybersecurity, in particular, securing the nation's critical infrastructure.
They do so, Heiman said, by monitoring legislative action to ensure consistency in lawmakers' actions. "There should not be tech mandates coming from D.C in terms of security. Cybersecurity is best accomplished by the private sector. Government and industry
September 11 kicked off a firestorm of concern for the nation's critical IT shops and Heiman's group exists to ensure that government does not overstep its bounds in the name of national security, he said.
Most recently, Heiman has been poring over the Patriot Act -- a recently adopted U.S. law giving federal and local authorities widespread power in monitoring Internet usage -- and how it applies to government eavesdropping of e-mail and Web surfing. Heiman said that his group succeeded in convincing legislators to include a provision in the Patriot Act that that regulated government's influence over how industry develops or deploys new technology or surveillance capabilities.
Heiman said he spends a considerable amount of time talking to IT managers and is confident they understand the seriousness and reality of a potential cyberattack. Elevating the consciousness of the executive level is another challenge. A bigger challenge may be the sharing of information with government authorities about system and software vulnerabilities and hacks.
"Now, they don't do much sharing of information because they are worried they will incur liabilities, or if the Freedom of Information Act (FOIA) kicks in, that the competition will benefit from their misfortune," Heiman said.
Several attempts are under way to pass legislation that will ease the FOIA and allow for better sharing of IT information.
In the end, Heiman said that education is one of the best weapons IT managers have to defend critical infrastructure.
"It is an education issue. A cyber terrorism attack is serious and can happen," Heiman said.
And education needs to be used in concert with technology, he added.
"You absolutely need the right technology tools," Heiman said. "You need to deploy the tools and you need to have people use the tools correctly. Passwords don't do you any good if the passwords are all English-language and never change, rather than using some random expression, for example.
"Protecting critical infrastructure requires IT managers to expand their horizons vis-?is potential threats all while protecting the bottom line."