Solving Security, Together

Opinion: Both the government and enterprises have crucial roles to play to keep our infrastructure secure.

The day we were writing this editorial, we couldnt help but notice news reports that intruders had busted into a liquefied natural gas facility a few miles south of eWEEKs Woburn, Mass., editorial office. KeySpan Energy didnt catch the breach until five days after it happened because officials failed, until then, to review a surveillance tape that captured the incident. Oops.

OK, so we know the nations chain-link-fence protection isnt so hot—all you need is a pair of wire clippers. But what about the cyber-protection of the IT systems that back up our national infrastructure?

If youve read Senior Writer Chris Preimesbergers cover story, you already know that he hooked up with Sandia National Labs Information Design Assurance Red Teams. The Red Teams have been finding all kinds of vulnerabilities: in the power grid, water supply, government and military systems, municipal systems, prisons, and on and on. This doesnt merely raise issues about the public sector and its attention to cyber-security in these post-9/11 years. As pointed out to us by John Clem, program manager for the Red Teams, one key for improving security associated with critical infrastructure systems is strong partnerships between government and industry.

/zimages/5/28571.gifSandias Red Teams are in a race to plug security holes in U.S. infrastructure. Click here to read more.

One thing the Red Teams have found (and enterprises already know all too well) is that security, unfortunately, is not inherent in existing systems nor necessarily in systems being developed and deployed today.

Although "information superhighway" is, in many ways, a bad metaphor, its not completely wrong. Vehicles on a real-life highway can be properly maintained and carefully driven, but poor design and shoddy maintenance of roads will still make driving dangerous for all. Likewise, global choices of protocol (IPv4 versus the far more securable IPv6) and policy (the badly conceived European Parliament Convention on Cybercrime) create an environment in which individual participants in the worldwide Net have to spend too much money and time for little real protection.

Its the proper role of national governments to sponsor the research and create the investment incentives that make things better across the board. Its the proper role of management at major enterprises to speak with a clear and coherent voice about that government role and to make their best people available to support it.

Not only that, its up to enterprises to take the advice that Clem would give them: Be proactive in identifying opportunities to partner with other institutions so that domain expertise can be shared. Be proactive in identifying sufficient budgets for IT departments. Enterprises also should take responsibility for process control systems so they can assess their level of security and integrate security into every phase of system life cycles. Finally, engage in a continual cycle of assessment and improvement.

Tell us what you think at

eWEEKs Editorial Board consists of Jason Brooks, Larry Dignan, Stan Gibson, Scot Petersen and Lisa Vaas.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.