SAN FRANCISCO – Public-private collaboration has earned its distinction as a nonstarter in security circles. Beaten to death by public-sector types hoping to foster dialogue with private companies on threat intelligence and other pertinent issues, the notion is tired.
Cybersecurity is a security and an economic issue: Nowhere is that clearer than in the workforce.
deputy under secretary for preparednessDepartment of Homeland Security
Cybersecurity coordinator Howard Schmidt tried his best to instill some vigor into it at RSA Conference 2011 during a Town Hall meeting sponsored by the National Cyber Security Alliance. Schmidt provided real-world examples of public-private cooperation, and asked for continued movement in this direction, in attempt to make good on calls by President Obama to move online economies forward in a trustworthy fashion.
"Our networks need a threshold of trust so we can continue to shop, file our taxes and interact online and keep most of our transactions successful," Schmidt said.
Schmidt, along with fellow panelists Phil Reitinger, deputy under secretary for preparedness at the Department of Homeland Security, and NIST Director Patrick Gallagher, stumped for initiatives such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), the National Cyber Response Plan and the Stop. Think. Connect movement. Each, the panelists said, were steps toward enhancing trust in online transactions and key for overall health of the economy moving forward. Collaboration, they added, is central to making each of these initiatives as thorough as possible.
"We've got a long way to go," Reitinger said. "We say it, but people don't always hear what we mean. When we say partnerships, some people hear 'kumbaya,' and nothing changes. Successful partnerships have things in common: They actually are a partnership. They actually are real. And they're outcome-focused."
NSTIC, launched last month by Schmidt and U.S. Commerce Secretary Gary Locke, is a plan to create identity solutions that enhance the security and privacy of high-value online transactions -- and it's one instance where public-private cooperation worked, Schmidt said. The private sector helped develop the strategy, which would provide authentication depending on the type of transaction involved.
"Because everything on the Internet is action at a distance, we need the ability to make decisions about trust and have strong authentication availabile if people want to use it," Reitinger said. "Of anything we could do as a global economy, we need to make sure strong, interoperable authentication is broadly available. That would solve a lot of problems."
Another example Schmidt offered was the dry run of the National Cyber Incident Response Plan during the Cyber Storm III exercises last September. Cyber Storm is the government's annual tabletop exercise in which it runs through its incident response plan and defines responsibilties for the parties involved in the event of a nationwide incident.
The panelists also made a call for universities to include cybersecurity curricula through programs such as the National Initiative for Cybersecurity Education (NICE), which will operate in four areas, including information security awareness training campaigns, education, cybersecurity workforce promotion and training and professional development, all under the coordination of NIST.
"Cybersecurity is a security and an economic issue: Nowhere is that clearer than in the workforce," Reitinger said. "NICE focuses on supply and demand – do we have enough people, and, once they're out, do we have a career path for them? Do they know their career progression? Are we maintaining their skills? We can't just catch these kids when they're 15; we have to catch them when they're 5."
Under NICE is the Stop. Think. Connect. program, aimed at making the consumer online experience more secure. "We want to engrain in people how to behave securely online," Schmidt said, "much in the same way they know to look both ways before they cross the street."