Bush administration officials want private-sector CIOs to share more of their sensitive security information, saying the data is vital to the governments success in improving network security. But corporate America remains wary and unconvinced that the federal efforts are worth the time.
Government security experts meeting here last week at the Infosecurity show say their attempt to improve the security of public and private networks will be severely limited unless enterprises help by sending in sensitive data on vulnerabilities and attacks.
However, CIOs and security personnel contacted by eWeek last week said there is little incentive for them to share such data with the government. At the forefront of their concern are the potential repercussions if the information became public.
"I would be concerned about confidentiality. This sounds like the government putting their nose in things that they dont need to—with good intentions maybe—and using national security as a reason," said Mike Prince, CIO at Burlington Coat Factory Warehouse Corp., based in Burlington, N.J. "It would be reasonable if they wanted information on a particular incident. But the next thing you know, theyll be asking us to capture data that we dont now. Id really question the motivation on this."
Because the vast majority of the nations network infrastructure is owned and operated by the private sector, government officials said they need the industrys help to assess the overall security of the networks and look for attack and vulnerability trends.
"The government has limited resources, time and money to assess the critical infrastructures vulnerability," said Robert Shepherd, director of information integration at the Office of Homeland Security, in Washington. "And thats not even addressing the question of whether you want the government doing that. Theres a certain level of skepticism between the private sector and the government."
The governments goal is to correlate incoming data and use it to spot attack trends and widespread weaknesses in corporate networks. Ideally, it would then use the information to provide enterprises and other organizations with early warnings of impending problems and other issues.
The collection and analysis of the data would likely be done by the information security arm of the Department of Homeland Security, which is due to begin operations in February.
"The elimination of all vulnerabilities isnt possible during the life cycle of a network," Shepherd said. "But we want to be able to rapidly disseminate vulnerability information to the private sector. There are other things like this under way [in the private sector], and we need to build on that and not hamstring it in any way."
Still, security experts say the government will face some tough objections to its effort and is unlikely to get much cooperation, short of creating a regulation or law compelling corporations to cooperate.
"Theres no incentive for CIOs to help them. Whats the return for them?" said Scott Blake, vice president of information security at BindView Corp., a security vendor based in Houston. "Without a mandate, theyll never get that information. And even if they get it, I dont know what theyd do with it."
The Bush administration has taken a strict anti-legislation stance on most issues, including the effort to improve the security of the nations critical infrastructure. But there seems to be little support in the private sector for any kind of voluntary plan, let alone a mandatory one.
"I see no reason to especially trust government agencies and their staffs with confidential information that could harm my company if leaked," said the president of a software company, who asked not to be named. "The governments track record is far from perfect."
"The thing thats frightening is, I could see this turning into some sort of compulsory reporting thing," agreed Burlingtons Prince. "Its one thing if its voluntary, but if its mandatory, no.
"Look at the airlines and all of the things the government has put in place [since last years terrorist attacks]," Prince said. "Its just made them less efficient, not really any more secure. The best way to get that information isnt from us."