RSA Redux: U.S. Cyber-Sec Experts Question Progress, Innovation
[Sometimes there just aren't enough hours in the day, the week, or even the following weekend, to get to everything that you need to do. Sometimes you lose the power strip to your laptop and end up totally dead in the water at a major trade show. Luckily the content at last week's RSA Security Conference was so compelling it's not dead on the vine one week later... thus, eWeek Security Watch gives you... RSA Redux! Enjoy.]
Experts speaking at the RSA Security Conference 2010 in San Francisco cited many of the same issues that have long thwarted U.S. cyber-security reform as the most significant problems still facing the nation today.
Specifically, the long-running challenge of fostering more effective public-private cooperation in addressing electronic attacks remains the biggest hurdle still facing the U.S. in the electronic arena. A lack of new ideas in approaching national cyber-security woes - both from a technical and a policy standpoint - remains another significant issue, the experts agreed.
On a panel dubbed "Delivering a Unified and Resilient National Cyber-Security Framework" hosted by Wall St. Journal reporter Siobhan Gorman, four leading U.S. security practitioners and policy-makers highlighted the fact that little progress is currently being made in these areas despite long-standing recognition of these same issues.
Just hours after newly appointed cyber-czar Howard Schmidt promised that he would have greater opportunity to succeed in the role than many of his predecessors, based on President Obama's recognition of cyber-security challenges facing the nation, the panel, which included former White House advisor Melissa Hathaway, recognized that it will be hard for change to come quickly unless new ideas and practices are adopted.
"We need to have more transparency of what is happening, we need information sharing; with that we get to better situational awareness," Hathaway said. "But this can't stop at U.S., the conversations have to go international as well, as we share our infrastructure with other countries; and to achieve this we need new incentives and market-levers to challenge industry."
While Hathaway and the other panelists - Cisco CSO John Stewart, Greg Oslan of Narus and Bill Crowell, and independent consultant - conceded that government leaders and previous cyber-czars have come to RSA and cited the same need for public-private cooperation, cyber-attacks and other problems have reached a level where we may finally see some progress, they said.
If a system could be created whereby companies would be incented, rather than face potential recrimination, for sharing more details of the attacks and data breaches they experience on a daily basis, people may finally get involved, said Greg Oslan, CEO of Narus, which monitors large IP networks to detect emerging attacks.
However, unless the government is willing to play ball and offer up strategic cyber-security information that it may not have been as willing to share in the past in return for such data, the private sector has little reason to be more forthcoming, the expert contends.
In a nod to another pervasive issue holding up U.S. cyber-security gains, Stewart said that IT security has become so complicated it doesn't resonate clearly with many people outside of the industry, and that the space lacks the radical new ideas that will be needed to solve serious problems.
"We've managed to make the security industry so complex that the people who need it most can't use it or live within it safely," the Cisco CSO said. "Making security simple is hard to do, but exploitation is increasingly easy; we're at a precipice and we need to figure out how to tip the scales."
Stewart also maligned the lack of "crazy ideas" applied within the security space that could potentially lead to major breakthroughs, pointing to work by scientists in recent years to unlock the human genome as an example of the type of outside the box thinking that could prove useful. Many observers may have initially questioned the tangible benefits of such far-out research projects when they were conceived, but the many healthcare breakthroughs that have come from the genome effort have had incredible value, he noted.
"I'm very nervous about the lack of innovative answers showing up in security; we need more of that, we have to get experiments beyond what companies doing in trying to make a profit," Stewart said.
When asked by Gorman - who has broken a handful of the biggest cyber-security stories ever published in just the last year alone - to conjure a historical analogue that best matches the nation's seeming inability to get a handle on the overwhelming cyber-security situation of today, Crowell, a former Deputy Director at the NSA, compared the scenario to the early days of flight.
"In the early days you could just fly, then with World War 2 airplanes became international, a global industry needed to be formed, you had the emergence of government regulation and military airspace, and the establishment of security measures so everyone could fly safely," he said. "The same kind of approach must be applied to cyber-space; until we have a framework that is easily understood, that the general public can understand, we can't move forward as a country."
If we see another new cyber-czar calling for answers to some of these same issues at RSA Security Conference 2011, we'll know that little has changed after all.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.