Cybersecurity task forces move DHS from planning to action
By DAN VERTON
DECEMBER 04, 2003
SANTA CLARA, Calif. -- Five industry/government task forces have delivered
to the Department of Homeland Security specific action plans to achieve the
cybersecurity goals outlined in the Bush administration's National Strategy
to Secure Cyber Space.
After two days of meetings behind closed doors at the inaugural DHS National
Cyber Security Summit here, the task forces emerged yesterday with lists of
specific programs and initiatives officials said they hope to put in motion
by March. The five categories covered include cybersecurity awareness, early
warning, corporate governance, technical standards and secure software
development and maintenance.
"We've moved from strategy to implementation," said Amit Yoran, director of
the National Cyber Security Division at the DHS.
He characterized the summit as the first step on a long journey and warned
the IT community that the threat of cyberterrorism means the nation's
cybersecurity practitioners will need to think differently about how
technology can be used against the country -- and to help protect its
critical infrastructure.
Howard Schmidt, chief security officer at eBay Inc., served as co-chairman
of the cybersecurity awareness task force. He outlined a broad plan to raise
awareness about the importance of cybersecurity, including the development
of a cybersecurity excellence award program for state and local governments,
greater emphasis on computer ethics in K-12 school curriculums and a public
safety announcement effort that focuses on individual responsibility.
The goal is "to instill a sense of civic duty in the home user community,"
said Schmidt. He compared the effort to the 1950s-era Cold War campaign to
install bomb shelters in homes and schools.
Guy Copeland, special assistant to the CEO of Computer Sciences Corp. and
co-chairman of the early-warning task force, said his group wants to have a
detailed planning document ready by Dec. 17, although many difficult issues
must still be tackled. For example, his task force wrestled with questions
about what type of information is needed for early warnings and who should
get that information. In addition, task force members questioned the type of
information that can be collected, how long it can be maintained and who
should have access to it.
With the ability to send out early cyber-warnings still uncertain, Copeland
said the task force plans to tap into lessons learned by the Defense
Department's Joint Task Force for Computer Network Defense, which has
extensive experience conducting early-warning operations.
The challenge of cybersecurity goes far beyond technology, according to Art
Coviello, president and CEO of RSA Security Inc. and co-chairman of the
corporate governance task force. According to Coviello, the task force plans
to recommend that information security be made a subset of the internal
controls that CEOs are required to maintain.
His task force plans to complete by March 1 a framework for implementing its
overall plan. The group hopes to distill knowledge about corporate
governance into a central repository CEOs can use; develop guidelines for
implementing the framework at organizations of different sizes and in
different industries; and establish a way to measure compliance.
Ed Roback, chief of the Computer Security Division at the National Institute
of Standards and Technology and co-chairman of the technical standards task
force, said one of the main priorities for his group will be to help systems
administrators configure products for optimal security. The plan calls for a
central repository that contains advice on best practices in secure
configurations, as well as an effort to reach user organizations already
working on the problem.
However, the question that remains unanswered, said Roback, is whether
software vendors have a responsibility to deliver products configured
securely and with install scripts that ensure that default configurations
are set for optimal security.
Catherine Allen, CEO of BITS and co-chairman of the task force handling
secure software development, said members of her task force are developing a
white paper covering the education and certification requirements for
software developers that will emphasize the economic benefits of hiring
certified developers. The task force will also propose a new set of
practices that Allen said could reduce defects in the software development
process and in products.
The most important near-term goal of the task force, however, is to refine
the current patch management process for companies, said Allen. She offered
no specifics. But Scott Charney, chief security officer at Microsoft Corp.,
served as co-chairman of the task force and will likely champion that
effort. Other issues being studied by the group include "everything from
regulation, legislation and other incentives" to improve software
development, said Allen.
Coviello, however, urged the more than 300 IT executives present to "keep
their eyes on the prize."
"I don't need the threat of regulation or the perceived threat of regulation
to do this," said Coviello. "I'm doing this because it's the right thing to
do. We're doing this for the right reason," he said, to resounding applause
from the predominantly IT vendor audience.
Source: Computerworld
**COPYRIGHT NOTICE** In accordance with Title 17 U. S. C. Section 107, any copyrighted
work in this message is distributed by IWS - The Information Warfare Site under fair
use without profit or payment to those who have expressed a prior interest in receiving
the included information".
<a href="http://www.law.cornell.edu/uscode/17/107.shtml">http://www.law.cornell.edu/uscode/17/107.shtml</a>
------------------------------------------------------------------------
Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)
------------------------------------------------------------------------
INFOCON Limited Mailing List @
IWS - The Information Warfare Site
<a href="http://www.iwar.org.uk">http://www.iwar.org.uk</a>
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/kgFolB/TM
---------------------------------------------------------------------~->
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Received on Sat Dec 6 07:20:10 2003
This archive was generated by hypermail 2.1.8 : Sat Dec 06 2003 - 11:05:05 PST