[ISN] Panel urges cooperation on cybersecurity

From: InfoSec News (isnat_private)
Date: Thu Dec 12 2002 - 00:36:57 PST

  • Next message: InfoSec News: "[ISN] PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability"

    By Michael Hardy
    IDG News Service
    DECEMBER 11, 2002
    Protecting financial institutions from cyberattacks requires
    increasing levels of cooperation between the government and the
    private sector, panelists said yesterday at a conference in Washington
    called Homeland Security 2002: Establishing a Culture of Cooperation.
    Many of the conference's sessions emphasized such cooperation, which
    is being fostered by changing mind-sets in both government and the
    private sector.
    In the financial services world, the responsibility for keeping up
    with threats -- and the technologies that can help guard against them
    -- rests with the banks and investment houses, said Richard Marshall,
    deputy director of the Critical Infrastructure Assurance Office, one
    of 22 federal agencies that will soon become part of the U.S.'s new
    Department of Homeland Security.
    "The scope of change, the pace of change is just too quick for
    government regulators to keep up with," he said. "This has got to be a
    self-curing issue."
    The key for financial firms is business continuity, he said. The
    threat might be electronic, or it might be a physical attack or
    disaster. Either way, a firm must be sure that it can continue
    operating, protect its customers' privacy and anticipate problems in
    time to prevent them.
    Marshall's agency is working on the finishing touches to the National
    Strategy to Secure Cyberspace, a collection of best practices that
    business are invited -- but not required -- to follow in implementing
    security programs. The public comment period on the document closed
    last month, and Marshall said he expects President George W. Bush to
    approve it early next year.
    "We don't pretend to know all the answers, but we believe that
    together we can help come up with some intelligent solutions," he
    said. "And we realize that it's not going to be government-down. It
    has to be 'Let's join hands and work together.'"
    Financial services firms in general are ahead of other private-sector
    industries in securing their information, but they aren't where they
    need to be, Marshall said. "You need to raise the security bar," he
    The technological challenges are formidable, said Dale Hazel, senior
    vice president of marketing at Convera Corp., a software company that
    makes search products for businesses. More than some other types of
    businesses, financial institutions store massive amounts of data, he
    said. Terabyte measurements are common, and he said he has seen some
    databases that exceed a petabyte, or 1,000 terabytes. Such mountains
    of information stretch the limits of system scalability, he said.
    Meanwhile, companies don't have a good handle on how to balance
    prudence with overzealousness, said J. Michael Gibbons, a former chief
    investigator of computer crime for the FBI, now a senior manager at
    consulting firm BearingPoint Inc.
    "Those of us in homeland security all just want to understand how much
    security is enough," he said. "We want the truth, and the quest for
    the truth is the most difficult thing we face."
    Inside financial firms, executives see the wisdom of spending money on
    security, said Leigh Williams, senior vice president and chief privacy
    officer at Fidelity Investments Inc. His company spends about $1
    billion per year on technology, much of it security-focused, and
    believes that the cost is worth the payback.
    "We have for a long time expected a return on our business-continuity
    efforts," he said. "We do believe that before the September attacks,
    it made a lot of sense to invest very heavily in protecting the data
    and systems customers rely on. I don't think that has changed at all
    in the last couple of years."
    What has changed, Williams said, is the approach to the problems.
    "Before September of 2001, we approached security in a very fragmented
    way. We tended to split data security from physical [security]," he
    said. Since then, the company has come to see both physical and
    cybersecurity as part of the same issue.
    Fidelity has integrated itself more closely with financial services
    firms, smaller banks and other institutions, Williams said. "We're
    operating more as an industry and less as a collection of firms," he
    said. "And with that, industry is now better connected to government."
    During the past couple of years, financial trade associations --
    including the Securities Industry Association, the Investment Company
    Institute "and a dozen other trade associations" -- have consolidated
    their efforts to interact with government through a new group they
    formed called the Financial Services Sector Coordinating Council,
    Williams said. Meanwhile, government agencies and regulators have also
    been consolidating power.
    "Instead of there being hundreds of us talking at once and getting
    nothing done, we've become much more tightly integrated," said
    Fidelity plans to sustain its high level of investment in security.  
    "It takes a pretty good bite out of our bottom line," he said. "We do
    it because we think it will offer us some payback."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 03:57:58 PST