Security Information Wants To Be Shared
This story was originally published in Tuesday's PM Edition of Technology Daily.
By Heather Greenfield
A House Oversight and Government Reform subcommittee spent Tuesday afternoon reviewing government and private-sector efforts to secure the nation's Internet infrastructure. The House Homeland Security Committee held a similar hearing last week.
The attention comes in part because the Homeland Security Department has declared October as Cyber Security Awareness Month, but the hearings are timelier after a recent video leak to the media. It showed an experiment at one of the national laboratories in which a researcher hacked into a power-plant control system and set fire to it with the click of a mouse.
Getting a grasp of the history of improving cyber security is a challenge in part because the threat has changed. Larry Clinton, president of the Internet Security Alliance, said in prepared testimony that as America has moved from vulnerabilities that might have taken months to exploit to the current era of immediate attacks, "just getting information is no longer nearly enough."
Homeland Security Assistant Secretary Greg Garcia assured lawmakers that the department has been holding regular meetings with the private sector over the last several years to strategize on how to better secure critical infrastructure like the Internet. But he said the department's role is more leadership and it cannot force companies to adopt preferred security practices.
A Government Accountability Office report released last week said that despite all the talk about cyber security, more action is needed to better coordinate overall strategy among various federal agencies and the private sector. The report also said that until Homeland Security addresses weaknesses in information-sharing about threats, it will not be able to effectively address vulnerabilities between the public and private sectors.
Since the department's creation, the U.S. Computer Emergency Response Team, or US-CERT, has taken over information services that trade groups like the ISA had provided through contracts and non-disclosure agreements to its members.
Clinton offered recommendations that industry wants government to make to improve its approach to information-sharing.
"The traditional model is to withhold information and disclose if necessary," Clinton said. "The lack of sharing of information and government requirements for treating corporate information once disclosed is one of the major reasons that the necessary trust environment has not been established, and the information-sharing regime is widely held to be inadequate by all sides."
Clinton said the US-CERT information is useful but not all that is needed. "Treating cyber security just by providing information is like treating a staph infection with a Band-Aid."
He said the good news is that the private sector is taking the problem seriously, and there is an emerging consensus on how to formulate an effective government-industry partnership. But he acknowledged, "We have yet to see much in the way of concrete actions to make that system a reality."
Join the Discussion
The National Journal Group has the right (but not the obligation) to monitor the comments and to remove any materials it deems inappropriate.
Comments powered by Disqus