SAN JOSE, Calif.—Senior cyber-security officials defended the U.S. governments continued reliance on private sector initiatives to improve the security of the nations infrastructure, even as some experts raised questions about its effectiveness.
Current and former officials from the Department of Homeland Security, the White House and the Federal Aviation Administration said that federal government was making progress on cyber-security, and is doing a better job of working with private sector partners and critical infrastructure owners, according to Andy Purdy, acting director of the U.S. Department of Homeland Securitys National Cyber Security Division.
But the government is ignoring an epidemic of state-sponsored espionage and its reliance on voluntary cooperation by private sector companies and industries that are too slow to keep up with fast-moving cyber-threats, said Jim Lewis, a senior fellow and director of the Technology and Public Policy Program at CSIS (Center for Strategic and International Studies).
Purdy and Lewis were speaking at the RSA Conference in San Jose, Calif. in a session called “The National Cyber Security Agenda: Where Have We Been and Where Are We Going?”
They were joined by Dan Mehan, CIO of the FAA, and Howard Schmidt, until recently a CSO at eBay and deputy to former White House cyber-security czar Richard Clarke.
Purdy said his agency and the federal government were making significant progress on cyber-security. The recent Cyber Storm exercise of private and public sector response to a simulated cyber-attack is one example of how the federal government is doing a better job of coordinating with cyber-security stake holders, Purdy said.
“The range of stake holders and critical players [in Cyber Storm] is significant,” Purdy said.
Cyber Storm tested the governments communications paths and processes in the event of an actual cyber-attack. The results of the exercise wont be available before the Summer, but the DHS is already planning changes to its response systems as a result of the exercise, Purdy said.
But others raised a more cautionary note about the federal governments progress on cyber-security.
“Are we making progress? Yes. But we have to hit the afterburners,” said Mehan.
The government needs to improve network resilience in the wake of attacks and invest in research and development to create the next generation of security technologies, he said.
“Id give [federal government agencies] a C+ … it was a flat F two years ago,” he said.
CSISs Lewis painted an even more dire picture, saying that the government and private sector are nearly blind to an epidemic of intellectual property theft and state sponsored cyber espionage, even as they make incremental progress in securing their networks.
He said the federal government has mostly been ineffectual in getting the private sector to improve the security of products, and in securing its own IT resources.
“How much worse off would we be without any [federal government] effort? I think the answer is mixed,” Lewis said.
In some areas, such as the financial services industry, private sector initiative has improved cyber-security. However, in other areas, such as the nations electrical grid and software development, there has been less progress, he said.
The federal governments need to centralize could spur change in recalcitrant sectors by passing regulations to require change, Lewis said.
“Public-private partnerships work well for some problems, but theyre inadequate for others. We have to start thinking about areas where theyre not delivering,” he said.
Schmidt and Mehan also backed calls for more basic research on computer security. However, calls for the government to use its purchasing power to force software makers to improve the security of their products received a lukewarm response.
Purdy seemed puzzled by a question from an audience member about what software and security tools DHS was investing in, but noted the agencys efforts across a wide range of issues, from espionage to child endangerment online.
DHS may be the wrong agency to spearhead the governments effort on cyber-security, Lewis said. The agency is too large and too slow moving to keep up with cyber-security threats, despite its recent sponsorship of Cyber Storm and an earlier exercise called LiveWire.
“You cant win a NASCAR race with a Volkswagen,” he said.
The federal government should offer incentives to companies that might not see it in their fiduciary interest to invest in mitigating risks, Mehan said.
Alan Paller, director of research at The SANS Institute, added that the federal government is working with a flawed model in its reliance on private sector initiative on cyber-security.