In a major change of heart for both sides, government representatives and corporate CIOs are for the first time pledging to share more information with each other in an effort to improve security across the nations critical IT infrastructure.
The coming together is the result of efforts over the last month by the federal government—namely, the Department of Homeland Security—to recruit the help of the private sector in implementing its lofty NSSC (National Strategy to Secure Cyberspace). To accomplish this, the DHS reversed its stance on certain measures of the NSSC that were heavily criticized early on, such as the lack of private-sector influence and the establishment of a repository of security data that would reside with the government. Both issues are now not only on the table but are also pushing the two sides together.
Government representatives and corporate CIOs met at the National Cybersecurity Summit in Santa Clara, Calif., last week and began crafting ways to implement the NSSC. During the summit, five task forces were organized around specific topics, such as early-warning systems and security in software development, and guidelines for each topic were developed.
In addition, DHS officials outlined a plan for information sharing that would involve the newly created organization US-CERT. US-CERT would create four or five reporting programs to alert organizations in various sectors about imminent threats such as worm outbreaks or widespread attacks. The organization would also provide tips and information on protecting against the threats.
Industry executives said the government is finally moving in the right direction.
“I think were making progress on information sharing,” said Chris Klaus, founder and chief technology officer of Internet Security Systems Inc., in Atlanta, and co-chair of the Technical Standards and Common Criteria task force at the summit. “Weve been getting better information from [the government], and weve been working more closely with them.”
There are also indications that the government may be willing to provide to the private sector some sensitive data gathered by intelligence agencies on a limited basis, sources said. This kind of openness and spirit of cooperation is an about-face for the government, which in recent years has been criticized by security experts for being slow and stingy in providing data. As a result of that criticism, the mandate for change has come down from the highest levels of the Bush administration.
“As we confront the crucial issue of cyber-security, its important that our efforts follow a similar path,” Tom Ridge, secretary of the DHS, said in a speech at the summit. “One where we share information, work together and close any gaps and weaknesses that terrorists would otherwise seek to exploit. Before 9/11, each separate sector of our nations critical infrastructure had its own mechanism for sharing information, but there was no coordination between these industrial sectors.”
But the change of heart by the government comes with a catch: Technology companies must do their part as well or face new federal cyber-security regulations. Private-sector security experts and CIOs overwhelmingly oppose formal regulations and say they are interested in cooperating with the government as much as possible.
“I think were all ready to contribute now. Were willing to share as much as we can. Were all wide open on the government plan,” said Ron Knode, director of global security solutions at Computer Sciences Corp., based in El Segundo, Calif. “But its not fair for the government to say Gimme, gimme, gimme and not reflect anything back. There are still some cross-purposes in government that make us anxious about sharing. We need to be unencumbered without some legal liability you have to think about.”