Congress last week set aside $903 million over the next five years for new education programs and public/private partnerships that are designed to battle attacks on computers. Almost immediately, vendors began racing to bid for a share of the pie.
Microsoft Corp. last week named former U.S. Coast Guard officer Thomas Richey to the companys new post of federal director of homeland security. According to the company, the job will focus on promoting cross-agency collaboration. But the post will likely help the Redmond, Wash., software developers voice be heard when requests are made for part of the federal funding, observers said.
Also in line for funding are private/public partnerships such as the Regional Alliance for Information and Network Security, or RAINS, a group of more than 60 companies in Oregon thats developing a system to link federal, state and local agencies with universities and commercial companies.
RAINS is looking to coordinate responses to emergencies. Dubbed O-Test, the project is slated to make it easier for organizations to exchange information quickly by providing them with a common, secure platform.
RAINS co-founder Wyatt Starnes said the system serves as a specialized secure interactive newsletter where organizations can send and receive messages about cyber-attacks and other security emergencies. Starnes is also CEO of Tripwire Inc., in Portland, Ore., which is providing data monitoring software to secure the end points in servers and client computers for O-Test.
The project is expected to help advance another legislative initiative, proposed by Sen. Ron Wyden, D-Ore., which would create a “Net Guard,” or civil defense force, to defend against cyber-attacks.
“[O-Test] gives you a structure that really doesnt exist in the Net Guard initiative,” Starnes said. “I think they will find [Net Guard] will be an easier program to explain if they have worked through some of the problems at the fundamental level.”
RAINS, which is funded by the Oregon state government, is piloting the system in Oregon, but Starnes said he expects other states to join the initiative in reciprocal arrangements.
The group, which needs $6.5 million for O-Test, will seek private, state and federal backing, including funds from the cyber-research- and-development act passed last week, Starnes said.
RAINS considers O-Test a model of the kind of public/private partnership recommended in the draft “National Strategy to Secure Cyberspace.” Like many in the security business, Tripwire will urge the Bush administration to put back into the document some of the more stringent details that were taken out before it was released for comment in mid-September.
“Our comments favor a little tighter sort of legislation of some particular issues,” Starnes said, adding that the government needs to set common criteria for ranking security products. “Wed like to see some teeth in that because were spending a lot of money getting ranked and rated.”
Microsoft officials are also seeking tougher action from Congress, particularly a way to stem the tide of crackers and script kiddies throwing their efforts against Americas networks.
“A lot of the established equilibrium we have in the physical world doesnt exist in the cyber world,” said Craig Mundie, chief technology officer of Microsoft, in Redmond, Wash.
“People shouldnt steal cars if they dont want to go to jail, for example,” Mundie said. “But that protection doesnt exist yet in cyber-security. Now, government shouldnt be prescriptive about what kinds of technology people use to defend their networks, but they should write laws that say its illegal to steal cars or whatever the equivalent is in the cyber world. We have ineffective legal deterrents right now.”
The Bush administration receives final comments this week from industry representatives and others regarding its strategy to secure cyberspace.
A 16-page amendment that was added to the funding bill would increase the deterrence factor. Known as the Cyber Security Enhancement Act, the amendment provides for harsh penalties—including life in prison—for some information security crimes.