RSA Conference: Critical Infrastructure Partnerships Must Deepen for Security

Partnerships between government and business need to deepen to improve critical infrastructure security, a top Defense Department official said.

That securing the country's critical infrastructure requires alliances between companies and government is an oft-repeated theme at security conferences, and today was no exception.

At the RSA Conference in San Francisco, Deputy Secretary of Defense William Lynn III and Symantec CEO Enrique Salem discussed the threats facing the country's most vital networks, as well as the necessity of partnerships to counter them. But they also both noted that such private and public sector partnerships need to improve.

In his comments at the conference, available here, Lynn said the government's Cyber 3.0 strategy is based on five pillars: Recognize cyber-space as a domain of warfare, equip networks with "active defenses," protect critical infrastructure, build critical defenses with the nation's allies, and promote partnerships between the government and private sector.

Owners and operators of critical infrastructure could benefit from a combination of pillars three and five that would bring "active defenses" utilized to protect government networks to the private sector, he said. But the challenge, he added, is developing the legal and policy framework to do so.

Last year, Lynn discussed the concept of active defenses in an article for Foreign Affairs magazine, describing them as systems designed by the National Security Agency (NSA) that "automatically deploy defenses to counter intrusions in real time" based on warnings from intelligence services.

Yet efforts along these lines have sparked controversy in the past. Last July, for example, privacy concerns were raised when the Wall Street Journal reported that an NSA project known as "Perfect Citizen" would involve the use of sensors on computer networks belonging to private-sector companies. The NSA denied the assertion, telling eWEEK at the time that the project is a "vulnerabilities-assessment and capabilities-development" effort that does not involve the use of any sensors or the monitoring of communications.

Collaboration between the government and critical infrastructure companies has produced various regulations over the years, though the efficacy of those has been called into question on various occasions as well. For example, a recent audit by the U.S. Department of Energy meant to assess power grid cyber-security noted some companies were still failing to properly classify "critical assets."

In a private session with the media, Symantec's Salem told journalists much work needs to be done to build alliances between business and government.

"One of the biggest issues you got-[and] unfortunately we haven't made enough progress-we need better coordination across the government agencies, and from the government agencies to the private sector," he said. "I think we still work too much in silos inside the government [and] work too much in silos between the government and the private sector."

Threats like Stuxnet also require companies to take a more proactive approach to security, something Symantec is pursuing with reputation technologies, he said.

"The world has now moved from the espionage to the sabotage, and you should expect to see more aggressive disruption of the infrastructure via this kind of [attack]," he said in response to questions about Stuxnet.

"The problem is when you see something like this, others will follow," he added.