[ISN] NIAC Tackles Net Security

From: InfoSec News (isnat_private)
Date: Tue Apr 29 2003 - 00:26:28 PDT

  • Next message: InfoSec News: "[ISN] A New Way to Catch a Hacker"

    By Caron Carlson
    April 28, 2003 
    As corporate America tries to work more closely with the federal
    government to improve network security, a primary goal among CEOs is
    avoiding new federal regulations.
    However, executives who are directly responsible for network security
    do not necessarily share that goal. CIOs and chief security officers
    across the country are quietly advocating regulation to spur their
    bosses into acting more effectively on network security, according to
    Tom Noonan, president and CEO of Internet Security Systems Inc., in
    There is a widespread feeling among executives accountable for IT that
    security is not receiving the attention it deserves from the helm,
    Noonan told top corporate executives gathered for a teleconference of
    the National Infrastructure Advisory Council last week.
    "I've wanted to head for the hills every time I hear it," Noonan said.
    Noonan's disclosure was met with resistance by members of the NIAC,
    many of whom already face considerable regulation.
    "Another layer of regulation [in the pharmaceutical industry] would
    probably just make it more complicated to get things done," said Karen
    Katen, president of Pfizer Global Pharmaceuticals and executive vice
    president of Pfizer Inc., in New York.
    The financial services industry is particularly eager to discourage
    Washington from adding new mandates to its lengthy roster of federal
    rules. Alfred Berkeley, vice chairman of The Nasdaq Stock Market Inc.,
    in New York, and Martin McGuinn, chairman and CEO of Mellon Financial
    Corp., in Pittsburgh, voiced opposition to further direct federal
    Nonetheless, the NIAC will take a closer look at the potential need
    for regulatory guidance, particularly within sectors that are not
    necessarily motivated by profit to enhance security, such as the water
    and electricity industries, said NIAC Chairman Richard Davidson,
    president and CEO of Union Pacific Corp., in Omaha, Neb.
    "In some unusual situations, it might take regulation to make this
    happen," Davidson said.
    The NIAC, made up of chief executives from companies hosting critical
    infrastructure, is now administered by the Department of Homeland
    Security. Robert Liscouski, who was appointed assistant secretary of
    Homeland Security for Infrastructure Protection, in Washington, late
    last month, sat in on Tuesday's meeting.
    Addressing a concern expressed lately by prominent IT experts,
    including Richard Clarke, former cyber-security adviser to the
    president, Liscouski said the Information Assurance and Infrastructure
    Protection division of the new department "places an especially high
    priority on protecting our cyber-infrastructure."
    The NIAC is also looking at the thorny issue of network vulnerability
    disclosure. Council members' opinions on the topic range from full
    disclosure to limited disclosure, but there is a consensus that
    guidelines are needed for handling vulnerabilities, said NIAC Vice
    Chairman John Chambers, president and CEO of Cisco Systems Inc., in
    San Jose, Calif.
    "Lacking existing guidelines, people invent solutions," Chambers said,
    adding that ad hoc solutions can create new problems. A task force set
    up by the council will complete a study of the matter by the end of
    June, Chambers said, and the initial assessment is that disclosure can
    cause more risks than it eliminates.
    The question of how much network threat data a corporation should
    share with the government creates an ongoing predicament for many
    enterprises. Divergent policies and practices are evident in the
    varying degrees of participation within the Information Sharing and
    Analysis Centers for each industry, according to members.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 02:35:19 PDT