Almost a year after launching a cyber-security "Manhattan Project" and less than a month before President-elect Barack Obama takes office, outgoing Department of Homeland Security Secretary Michael Chertoff says the Bush administration is leaving Obama with "some momentum" on cyber-security.
Speaking Dec. 18 at the conclusion of a two-day cyber-warfare exercise in Washington, Chertoff said, "I think we've done an awful lot in a relatively short period of time, as, you know, government work goes and while there's much more to be done, I think we've teed up, so the next administration has some momentum and I will encourage them in any way I can to continue to move it forward."
In January, Bush signed a classified presidential order ordering the DHS and the National Security Agency to expand their cyber-security efforts. Chertoff said that initiative has been successful, at least as a starting point.
"Obviously, this is a work in progress, but it is one which builds upon a shared relationship of trust and experience, which we have seen work in the physical realm and one of the reasons we have to work across the entire domain of our relationships with the private sector is because the needs of each sector differ in terms of what their concerns are from a cyber-security standpoint," Chertoff said.
Chertoff added that historically there has been a "radical" division between the U.S. intelligence agencies and the private sector in involving the government in civilian networks for fear of the legal consequences. That, he said, needs to change.
"The cyber-security threat isn't only one that occurs at the level of traditional nation states and traditional conflicts," Chertoff said. "It occurs with respect to terrorism, where we know that a cyber-terrorist attack could have a potentially very, very serious impact on the safety and well-being of our citizens. And even common criminals have done an enormous amount of damage using the cyber-system to exploit our vulnerabilities in order to make money."
Noting that while the most publicized threats to U.S. cyber-security are from people hacking into systems, Chertoff said the country needs to be prepared to deal with a full spectrum of threats, including individuals compromising systems from within and the security of supply chains.
Chertoff identified three specific types of cyber-security threats: hackers who steal information, threats that would degrade or destroy the ability to actually engage in activities over the Internet, and inside corruption of the process.
"Not an attack that necessarily destroys a system, but that simply corrupts it or changes it in a way that makes it unusable and undermines confidence and trust," Chertoff said. "And here, although it hasn't happened to my knowledge, imagine a circumstance where a terrorist attacked our financial system and simply altered the data in a way that left people with a lack of confidence that they could get accurate information or access to their assets."
DHS, in collaboration with a number of partners, has established a cross-sector Cyber Security Working Group. The group meets monthly and includes industry and government representatives from 18 critical infrastructure and key resource sectors. Chertoff said the idea is to exchange information on vulnerabilities and strategies for mitigation, hold briefings in both directions about what cyber-threats are emerging, and to participate in specific projects.
In particular, Chertoff said, "we're focused on chemical, IT, and banking and finance sectors because we know those are sectors where there's a particular concern about the collateral consequences of a cyber-attack."