Government Seeks IS Workers
Homeland Security eyes industry experts
By Margo McCall
The Homeland Security Department is looking for partners—and employees—in the ranks of the private-sector information security industry. "This is not the federal government coming in to tell you to do something. We have no interest or intention in duplicating a system here," said Homeland Security Secretary Michael Chertoff during the RSA Conference. "We want to enable those interested to get the benefit of what the government learns. In days and weeks ahead, we'll be looking to tap into the private sectors for insights, ideas, and dare I say—employees."
If for no other reason, Chertoff urged those in the security industry to do it for their country. "I know some of you will say the government is kind of clunky. It's not cutting edge." However, he cited the hiring of Silicon Valley entrepreneur Rod Beckstrom to head a new government cyber-security initiative and creation of the Computer Emergency Response Team as a sign the government is making progress.
Noting that the federal government takes cyber threats as seriously as those aimed at the real world, Chertoff painted an alarming picture of what could happen if the US doesn't protect itself from attack. "We could see human and economic consequences that are very much on par with what this country experienced in 2001," he warned.
Chertoff said a single individual or group could use a cyber attack to carry out destruction on the level of that previously done by setting off bombs. Such threats fall into three categories: intruders interested in extorting money or collecting information for financial gain; those interested in government or industrial espionage; and a third, more troubling category—those hoping to interfere with or shut down a system.
No ownership of Internet
Yet, government responses to cyber attacks are hampered by the fact that cyber security isn't solely a federal responsibility. "The federal government does not own the Internet. The federal government cannot be everywhere at once. There is a network that operates in that domain," Chertoff said.
He said last year's botnet attack that shut down the Estonian government for two weeks was a wakeup call to governments worldwide. In light of that, Chertof said the US government is working to implement 24x7 warning systems at all government agencies, reduce the more than 1,000 access points to about 50, and speed up detection and response times. "We need to be able to detect and analyze anomalies not in hours but in minutes," he said.
There are indications that government regulation is very much on people's minds. "If ever there was a cry for a change in public policy, the time would be now," said Symantec Chairman and CEO John Thompson.
Complex regulatory environment
RSA President Arthur Coviello described today's regulatory environment as "complex and cumbersome," resulting in companies focusing their security efforts on compliance and audit rather than security improvements. "Any regulation can be interpreted to the extreme. Materiality and risk are not given proper weighting," he said, which can result in make-work projects.
Thompson and Coviello both called on Congress to pass a national cyber security law to create baseline standards for safeguarding information and letting consumers know about breaches. Currently, 40 separate cyber security laws are being considered by state governments.
Coviello also advocated more government investment in security research and training for security professionals. He called Chertoff's presence at RSA "an example of the leadership we need."
Solutions hard to legislate
But Craig Mundie, chief research and strategy office at Microsoft, said regulation isn't always the answer. "It's hard to legislate an answer for the future. People become prescriptive about solving today's problems," he said.
Adi Shamir, a computer-science professor at Israel's Weizmann Institute of Science, agreed. As an example of a security regulation that likely won't appreciably improve security, he cited the federal government's $300 million proposal to expand its two-digit biometric fingerprint requirement to all 10 fingers.
"The current system caught 2,000 people who outstayed their visas. If you upgrade it, you might have one more. He will be a very expensive guy, a $300-million guy," he said. Shamir recalled being asked if he was a Communist Party member when entering the United States. Now, he's asked if he's been trained to operate an atomic, biological or chemical weapon Just as effective, he joked, would be a self-assessment where foreign visitors would be asked to rank themselves as bad, very bad, or extremely bad. CW (April 2008)