Tech CEOs Issue Cyber-Security Recommendations Group Seeks to Guide Policy in Bush's Second Term http://www.washingtonpost.com/ac2/wp-dyn/A44474-2004Dec7?language=printer
By Brian Krebs washingtonpost.com Staff Writer Tuesday, December 7, 2004; 5:13 PM A group representing technology industry chief executives on Tuesday warned that the Bush administration has failed to follow through on its two-year-old strategy for protecting the nation's information infrastructure and offered recommendations for improving the government's handling of cyber-security in President Bush's second term. At the top of the Cyber Security Industry Alliance's set of recommendations is raising the profile of cyber-security at the Department of Homeland Security by elevating the position of national cyber-security director to the assistant secretary level. Such a move, the technology community and some members of Congress believe, would bring stronger leadership to the division, whose director currently reports to an assistant secretary who is responsible for both cyber and physical security threats. "There is not enough attention on cyber-security within the administration," said Paul Kurtz, the alliance's director and a former senior cyber-security official in the Bush administration. "The executive branch must exert more leadership." Alliance members include Computer Associates, Juniper Networks, McAfee and Symantec. Kurtz was joined at Tuesday's event by Amit Yoran, the former director of Homeland Security's National Cyber Security Division who resigned in September. "We really have an opportunity here to address cyber-security in a more aggressive fashion," said Yoran, who was the third high-level cyber-security official to leave the Homeland Security Department in 18 months. "There is broad unanimity across the cyber-security community that we are still vulnerable and we need to do more." Technology industry sources told The Washington Post in October that Yoran left his post in part because he was frustrated that he lacked sufficient authority to implement cyber-security programs. The latest congressional effort to raise the profile of cyber-security within the Homeland Security Department failed this week. House leaders included language raising the cyber-security director's status in a major bill designed to overhaul the nation's intelligence community, but the measure was stripped from the version of the legislation agreed to by House and Senate negotiators. A Senate Republican aide familiar with the bill declined to say why the language was not included. The final version of the bill, which would create a national intelligence director and counterterrorism center, is expected to receive congressional approval before the end of the week. The technology industry alliance's recommendations closely mirror those set out in a 41-page report issued Monday by the House subcommittee on cyber security, part of the larger Homeland Security panel. That report also called for an assistant secretary post for cyber-security at Homeland Security, and urged the administration to consider tax breaks and other incentives for businesses that make computer security a top priority. "Right now, it's hard to see how the strategy that the administration came up with a few years ago is being systematically implemented," said Rep. Mac Thornberry (R-Tex.), chairman of the panel that produced the report. Thornberry said he has not decided whether next year he will reintroduce his bill to elevate the cyber-security position at DHS. Thornberry will leave the cyber-security panel next year to work on the House Intelligence Committee. The congressional report and the recommendations released by technology industry reflect growing frustration with the White House's commitment to implementing its National Strategy to Secure Cyberspace. Issued in February 2003, the document laid out a vision for protecting key areas of the Internet from digital sabotage as part of a broader strategy broader for guarding key U.S. physical assets from further terrorist attacks. The technology companies at today's briefing expressed frustration that much of their work toward implementing the cyber-security plan was met with silence from department leaders. A year ago, Homeland Security officials co-hosted a summit with Silicon Valley executives, urging the companies that own and operate key Internet facilities to map out concrete steps to implement the administration's cyber-security plan. In the following six months, those companies churned out dozens of recommendations for putting the plan into action, but several high-tech executives at today's event said they felt that their suggestions were being ignored. "I don't think we've gotten the support from the administration that we should have," said Arthur W. Coviello Jr., chief executive of Bedford, Mass.-based RSA Security Inc. The House Homeland Security panel and the Cyber Security Industry Alliance both want the department to match budget money to specific cyber-security programs and to take the lead in creating a disaster recovery and response plan should the United States suffer a debilitating digital attack. Both also want the White House to lean on the Senate to ratify the Council of Europe's Cybercrime Treaty to help law enforcement bring more hackers and virus writers to justice, and to dedicate more money to long-term cyber-security research and development programs. In addition, the administration should direct a federal agency to track costs associated with cyber attacks, an effort experts believe will help drive a market for cyber-security risk insurance and help companies make a stronger business case for investments in stronger computer security technologies. Lawrence Hale, deputy director of Homeland Security's cyber-security division, defended the department's progress on various information security initiatives. "Perhaps we could do a better job of highlighting our accomplishments and informing the public about what we have been doing," Hale said. He cited among those accomplishments the development of a program to find and fix vulnerabilities in so-called "digital control systems," the proprietary hardware and software products used to manage everything from the power grid to chemical manufacturing processes. Hale added that the department has been working to expand national emergency response plans to include a cyber component. He also said the department has been instrumental in helping federal agencies respond to and prevent computer attacks. "Do we have a long way to go? Certainly, but I would say that we're much better off than we were a year ago, and that both government and industry have made great strides." Two former CIA directors have sounded warning on cyber-attacks within the past week. At an anti-terrorism conference on Saturday, former CIA Director Robert Gates said a cyber attack could cripple the U.S. economy because many businesses reliant on information networks remain unprepared for such attacks. In a speech at a homeland security conference in Washington last Wednesday, former CIA Director George Tenet called for tough new cyber-security protections, pointing to a rapid increase in the number of foreign intelligence services and military organizations conducting research on information attacks. Staff writer Robert MacMillan contributed to this story. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
