Coming to a city near you: a security forum held in concert with September's Cybersecurity Month. That's right. Information security is expanding from one day of awareness here and there to an entire month of public service-like platforms, complete with its own road show.
This, at least, is among the goals of The Awareness and Outreach Task Force, a coalition of security experts from both the public and private sectors, which last week gave guidelines to improve the cybersecurity awareness for everyone from PC users to CEOs of large enterprises. In a separate report, the task force also advocated an early warning system for malicious code and vulnerabilities.
The goal of the national cybersecurity early warning contact network is to "improve the sharing, integration and dissemination of information about cybersecurity threat, vulnerabilities, exploits and incidents … within a vetted trust community."
The system would be housed and administered by US-CERT. It's not meant to replace existing information sharing mechanisms but to complement them. Representatives of the 14 critical infrastructure sectors and information-sharing organizations will be involved with the process.
"Generally, many private enterprises, public entities and home users lack the resources to adequately manage cybersecurity risk," the task force said in its report. "Internet users must be made aware of the importance of sound cybersecurity practices and given more user-friendly
For example, the task force recommends a cybersecurity guidebook be created to help small businesses get up to speed on security. It also favors market-based incentives such as insurance to reward businesses that take security seriously.
The task force has some even more novel suggestions for home users. It recommends a national public service campaign that promotes cybersecurity. Also, the group sees ISPs as a good conduit for getting information about security out to such users.
The task force is also taking their message to the top. They plan to create a series of regional security forums for CEOs starting in September. It also advocates a direct mail campaign to the top execs of the 10,000 largest companies in the United States. Finally, the group also wants to see September designated as Cybersecurity Month to raise awareness of the issue.
Last week, some of the task force's suggestions were criticized for being too vendor-centric. It's important to note the task force isn't affiliated with the US Department of Homeland Security or any other government agency. The task force falls under the auspices of the National Cyber Security Partnership, a coalition of trade associations including the US Chamber of Commerce and the Business Software Alliance.
Alan Paller, director of research at The SANS Institute, said last week the focus on end users "is the equivalent of national leaders telling every driver to wear football pads and helmets and tie themselves to the seat backs, because the automobile manufacturers won't build in seat belts and air bags and better bumpers and because there are a lot of dangerous drivers on the road."