« ICANN Meeting Will Proceed Despite Fires | Main | 602b Anyone? The E-Mail Tax Comes To Life »
Security Information Wants To Be Shared
This story was originally published in Tuesday's PM Edition of Technology Daily.
By Heather Greenfield
A House Oversight and Government Reform subcommittee spent Tuesday afternoon reviewing government and private-sector efforts to secure the nation's Internet infrastructure. The House Homeland Security Committee held a similar hearing last week.
The attention comes in part because the Homeland Security Department has declared October as Cyber Security Awareness Month, but the hearings are timelier after a recent video leak to the media. It showed an experiment at one of the national laboratories in which a researcher hacked into a power-plant control system and set fire to it with the click of a mouse.
Getting a grasp of the history of improving cyber security is a challenge in part because the threat has changed. Larry Clinton, president of the Internet Security Alliance, said in prepared testimony that as America has moved from vulnerabilities that might have taken months to exploit to the current era of immediate attacks, "just getting information is no longer nearly enough."
Homeland Security Assistant Secretary Greg Garcia assured lawmakers that the department has been holding regular meetings with the private sector over the last several years to strategize on how to better secure critical infrastructure like the Internet. But he said the department's role is more leadership and it cannot force companies to adopt preferred security practices.
A Government Accountability Office report released last week said that despite all the talk about cyber security, more action is needed to better coordinate overall strategy among various federal agencies and the private sector. The report also said that until Homeland Security addresses weaknesses in information-sharing about threats, it will not be able to effectively address vulnerabilities between the public and private sectors.
Since the department's creation, the U.S. Computer Emergency Response Team, or US-CERT, has taken over information services that trade groups like the ISA had provided through contracts and non-disclosure agreements to its members.
Clinton offered recommendations that industry wants government to make to improve its approach to information-sharing.
"The traditional model is to withhold information and disclose if necessary," Clinton said. "The lack of sharing of information and government requirements for treating corporate information once disclosed is one of the major reasons that the necessary trust environment has not been established, and the information-sharing regime is widely held to be inadequate by all sides."
Clinton said the US-CERT information is useful but not all that is needed. "Treating cyber security just by providing information is like treating a staph infection with a Band-Aid."
He said the good news is that the private sector is taking the problem seriously, and there is an emerging consensus on how to formulate an effective government-industry partnership. But he acknowledged, "We have yet to see much in the way of concrete actions to make that system a reality."
Posted by Danny on October 26, 2007 07:00 AM | Permalink
Trackback Pings
TrackBack URL for this entry:
http://amcblog.nationaljournal.com/cgi-bin/mt/mt-tb.cgi/3542
Comments
The numbers speak for themselves with regards to information sharing. Incident reporting to US-CERT doubles every year and highlights that 70% of the incident reporting is from the private sector. This is often misleading when it is stated that sharing of info is not happening. Also keep in mind, many reporters, specifically companies, do not want their information in fear that it might jeopardizes their organizations standing in the marketplace. However, almost all of them were willing to share when it related to a new vulnerability. The other item not discussed is "responsible disclosure" which is followed and disclosed when a fix is available unless their is high likelihood that it can be exploited rapidly via the network or internet. US-CERT has specific criteria or a decision tree that is leveraged and was developed in partnership with industry.
Just my .02.
J
Jerry | 10.27.07 08:54 AM
 |
