Cybersecurity commission to set security recommendations for next administration

By Dennis Fisher, Executive Editor 29 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A Washington-based security think tank is planning to establish a commission comprising information security experts from the private sector and policy organizations to create a series of recommendations on cyber security for the next president.

People have seen that our worst-case scenarios have already happened. Now the question is how do we galvanize the public to protect this soft underbelly? Tom Kellerman, vice president of security awareness, Core Security

The Commission on Cyber Security for the 44th President, to be announced on Tuesday in Washington, will be tasked with exploring the existing federal security policies and infrastructure and then building a set of practical recommendations for ways that the next president can improve the status quo. The group will be co-chaired by a Congressional leader and an official from the private sector.

The new commission, which is the work of the Center for Strategic and International Studies, likely will be following up on the National Strategy to Secure Cyberspace , the long-range plan developed during George Bush's first term. That document was the work of government officials working with experts in academia and the private sector. But shortly after its release in 2003, experts, including some who participated in the report's creation, began criticizing it for being too vague and lacking specific, near-term actions that could be taken. Richard Clarke, the president's advisor on cyber security issues and the man who led the effort to create the national strategy, stepped down a few months after its release and a series of successors had little success implementing the measures recommended in the plan.

Among the members of the new commission are Mary Ann Davidson of Oracle Corp., Ed Felten of Princeton University, Shannon Kellogg of EMC Corp., Paul Kurtz, former head of the Cyber Security Industry Alliance, Marcus Sachs of The SANS Institute and Michael Vatis, former head of the FBI's National Infrastructure Protection Center. On the government side, Margie Gilbert of the National Security Agency and Jessica Herrera-Flanigan, the staff director of the House Homeland Security Committee and former federal cyber crime prosecutor, will be ex-officio members.

Some of the recommendations in the original plan, such as better information sharing between the federal government and private sector, have been put in place. But for the most part, the national strategy is regarded as a missed opportunity and overall failure by most in the security community.

"I think there is a lot of dialog, to give credit where it's due. But I'm not sure about the quality of the dialog. It varies from group to group," said Amit Yoran, CEO of NetWitness Corp., and a member of the CSIS commission. Yoran is the former head of the Nation Cyber Security Division at DHS, as well. "I think what we need is some better guidelines on that interaction. There isn't a whole lot of specificity in the national strategy on that."

Now, the question is whether an effort from the private sector can succeed where one with the full backing of the federal government couldn't.

Cybersecurity: Cybersecurity czar signals government cooperation at RSA Conference: Cybersecurity chief, Greg Garcia told RSA Conference attendees that government, enterprises and academia need to work together to fight growing Internet threats. Tech vendors team up for secure software development: A new group of technology vendors, including Microsoft and Symantec, are joining together to raise awareness about the need for more secure code. Feds court infosec pros in fight against cybercrime: Federal law enforcement officials hope a more cooperative and less territorial approach will help convince private sector organizations to join the fight against cybercrime.

"I think it will be easier this time around because we've realized that the enemy is already inside of us," said Tom Kellerman, vice president of security awareness at Boston-based Core Security, and a former security official at the World Bank who helped develop the original national strategy. "People have seen that our worst-case scenarios have already happened. Now the question is how do we galvanize the public to protect this soft underbelly? Our enemies have realized that our over-reliance on technology is our soft spot and they can compromise these systems at will. We no longer have the monopoly on being the big brother. This technology can be used against us."

The Bush administration has been roundly criticized by security experts for what they perceive as a lack of attention to the problem of computer security. The top security job at the Department of Homeland Security has changed hands several times in the last few years and at one point was vacant for more than a year. The CSIS-supported commission plans to hold several plenary sessions on the issues relating to improving cyber security, including the current threats and public policies and whether new legislation or regulations are needed. Ultimately, the commission intends to release a report and a set of recommendations to the president for concrete ways in which the government can work to improve security.

Kellerman, who is also on the new commission, said that one key to ensuring the success of the commission's efforts is to work with other organizations to find practical solutions that can be implemented in the near term to address specific problems.

"We can't take this as a unilateral effort," he said. "We need to work with some of these other multinational organizations. Why aren't groups like the World Bank and the IMF [International Monetary Fund] being forced by the Treasury to give loans to some of these hackistan-type countries so they can harden their infrastructures against this stuff?"

The commission will meet for the first time on Nov. 7 and is due to complete its work by the end of 2008.

Tags: Information Security Laws, Investigations and Ethics,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Federal efforts to secure cyberinfrastrucure ICE Act would create White House cybersecurity post Emerging Information Security Threats Conficker authors prepping for next stage, researcher says Newest malware threats DDoS attacks hit U.S., South Korean government websites New attack code targets Microsoft ActiveX zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) cypherpunk  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary