Cyber-Security: Striving for Public/Private Pact
WASHINGTON--As the federal government looks to industry to increase its role in policing the information infrastructure in this new era of global terrorism, enterprises are looking to the government to share the costs of their vigilance.
The rally for a public/private partnership in the wake of the Sept. 11 attacks was highlighted last week by the White House announcement of an executive order establishing a cyber-security board to coordinate federal infrastructure protection efforts. The Bush administrations proposal includes provisions for holding agency heads, rather than IT managers, accountable for network security failures.
"The government is going to hopefully be a model to private industry," said Ronald Dick, director of the National Infrastructure Protection Center, at a forum on cyber-defense here sponsored by the Center for Strategic and International Studies and the Information Technology Association of America.
Enterprises, already strapped by ever-increasing security costs, want to help, but they also want assurances that their increased involvement wont come back to haunt them. As a result, several industries have banded together to press for legislation protecting shared company information from public disclosure through the Freedom of Information Act.
Last week, a group of eight industry organizations, including the National Association of Manufacturers, Edison Electric Institute, American Petroleum Institute and the ITAA, wrote to lawmakers encouraging them to pass a bill introduced by Sens. Robert Bennett, R-Utah, and Jon Kyl, R-Ariz. The legislation relaxes FOIA and antitrust laws to give enterprises more leeway in sharing information.
"We have to give smokestack industries an incentive to share critical information," Bill Guidera, federal government affairs manager at Microsoft Corp., of Redmond, Wash., told eWEEK. "Almost all [IT companies involved in critical infrastructure] are on board with this."
The legislation is unlikely to be voted as a separate measure, but advocates hope it will be attached to one of the spending bills that must be passed before Congress adjourns this year. "Everybody likes my bill," Bennett said at last weeks forum. "But we cant find a home for it."
Pressure is mounting for enterprises to approach new cyber-defense measures with the same sense of urgency felt in the months leading to the new millennium. In the case of Y2K, the government provided a financial incentive for network upgrades when the Securities and Exchange Commission required companies to include Y2K preparedness information in their filings.
"Every company has to have a fairly significant paradigm shift in attitude toward the costs [of network security]," Bennett said. "If you adopt a fail and fix notion with cyber-terrorism, you are going to have much higher costs." Bennett said he discussed Y2K-like requirements with the SEC chairman in light of the new concerns about cyber-security.
"I dont think there are any new approaches that we havent tried before, but were going to see a much broader implementation of the practices we were doing before," said an IT security executive who asked to remain anonymous.
"The way we are going to counter the cyber-threat is to cooperate in different industries," the IT security executive said. "Thats the only way we will come up with a comprehensive answer to this problem."
In a study on information sharing issued last week, the General Accounting Office found that successful public-/private-sector partnerships can only be established over time, and they are built primarily on personal relationships. The study, requested last May by Bennett, found that organizations are often reluctant to share information, particularly with competitors, until a foundation of trust is created.
In addition to the FOIA and antitrust relief sought in the Bennett legislation, the ITAA last week urged Congress to make cyber-defense a pillar of the pending economic stimulus measure. The association asked that greater investments be made in upgrading federal government IT and security features and that grants be made available for state and local governments. It also called for more funds for universities to provide information security training and for loans to small and medium-size businesses for equipment and training.
"Long-term research and long-term training has to be a responsibility of government," said Harris Miller, ITAA president, at last weeks forum.
The GAO identified several other challenges to enhanced information sharing, including developing protocols on use, keeping appropriately skilled staff, and, of course, obtaining funding for meetings and Web sites. Some organizations are wary of funding being used for promoting a particular partners commercial interests, according to the report.
While the government looks to the private sector for greater support, many in the private sector are looking to the government to encourage safer networking in nonlegislative and nonregulatory ways. Some suggest that federal agencies could do more by demanding that security vendors provide better products.
"It is clear to me that the government can use its buying power to say that if a vendor does not include good- citizen capabilities in a product, it will not be able to buy from that vendor," Avi Freedman, vice president and chief network architect at Akamai Technologies Inc., of Cambridge, Mass., told eWEEK. While it may be difficult to apply such leverage in purchasing operating systems or network hardware, where there are few choices among brands, it could be applied in purchasing telecommunications services and Internet connectivity, Freedman said.
eWEEK Executive Editor Stan Gibson contributed to this report.