WASHINGTON—In the ongoing effort to spur greater coordination among federal agencies, industry, law enforcement and academia in addressing network vulnerabilities and warding off future attacks, the Department of Homeland Security is putting together a National Cyber Security Summit, tentatively scheduled for late fall.
Policy-makers, on Capitol Hill and in the administration, are leery of promulgating measures that have the appearance of government standards-setting. But officials clearly see a lack of common criteria for detecting and reporting threats as an impediment to optimal incident response.
Testifying before the House cyber-security subcommittee Tuesday, Robert Liscouski, assistant secretary for infrastructure protection at DHS, told lawmakers that the multiple cyber infrastructures in the country necessitate a more coordinated security effort.
In his written testimony to the subcommittee, Liscouski outlined the goals of the summit, several of which involve de facto standards setting. Officials hope to spur a standards-based system for communicating threats nationwide and develop a common threat and vulnerability reporting tool.
The summit also aims to develop a “vulnerability reduction initiative,” based on improved evaluation standards, software measures, patch deployment tools and methods, and best practices. Participants will develop a “National Cyber Security Road Map,” outlining a timeframe for improving online safety and developing ways to measure the improvement, according to Liscouskis testimony.
Members of the subcommittee voiced worries about the pace and strength of federal cyber-security initiatives. The recent widespread worm attacks left lawmakers concerned about the growing cost to corporate America of not securing the cyber infrastructure.
The U.S. Computer Emergency Response Team, which Liscouski unveiled Monday, will help create new attack detection tools and foster the use of common commercial reporting protocols, he said. Ultimately, state-level CERTs will be established to further promote collaboration among all network operators and users, he said.
Next page: Liscouski: Expect mistakes.
Page Two
Liscouski repeatedly emphasized that the department plans to move briskly forward with its cyber-security initiatives and that mistakes are inevitable. “We will err on the side of sharing too much information sometimes,” he said. “What has been very helpful to me is knowing that were going to make mistakes.”
Some committee members questioned Liscouski about the recent departures of several cyber-security experts from the administration, including Richard Clarke, Howard Schmidt and Ron Dick, and asked whether cyber-security is being given a sufficiently prominent role.
“Im worried that cyber-security has been demoted,” said Zoe Lofgren, D-Calif. “How many desks are empty? Is there anyone there to answer the phone?”
The National Cyber Security Division at DHS has approximately 65 employees and an additional 35 positions to be filled, Liscouski said, adding that he believes the division has adequate funding at present.
Liscouski Tuesday formally announced the appointment of Amit Yoran to head the National Cyber Security Division at DHS. Asked why it took so long to fill the spot, Liscouski said it was a matter of finding the most suitable candidate.
“We just had to find the right person who understood that this is about execution. We needed an implementer,” he said, adding that the risk of potentially not succeeding in that role is “great.”