[ISN] For cybersecurity, it's share and share alike

From: InfoSec News (isn@private)
Date: Tue Oct 21 2003 - 03:11:37 PDT

  • Next message: InfoSec News: "[ISN] "Building an Information Security Awareness Program" book review"

    Forwarded from: William Knowles <wk@private>
    
    http://www.fcw.com/fcw/articles/2003/1020/pol-cyber-10-20-03.asp
    
    By Diane Frank 
    Oct. 20, 2003
    
    The leaders responsible for the nation's critical infrastructures must 
    create rules for working together in the event of a crisis, according 
    to a presidential advisory group.
    
    Those rules will be the first step in avoiding a calamitous 
    domino-like crash of succeeding infrastructures if there is a unified 
    attack, private-sector leaders concluded in a set of proposed 
    recommendations for the Bush administration.
    
    The National Infrastructure Advisory Council (NIAC), made up of 30 
    high-level executives from the private sector, is developing 
    recommendations for President Bush and the Homeland Security 
    Department. The group will make a wide range of recommendations, 
    covering everything from how to disclose software vulnerabilities to 
    where government regulation can enhance security.
    
    The council includes representatives from every sector, but the group 
    called on expertise from organizations at DHS, the FBI, national labs 
    and several sector-specific organizations, such as the National Energy 
    Resource Council and the financial services' Banking Industry 
    Technology Secretariat, a technology consortium of the nation's 
    largest banks, to develop the recommendations.
    
    The goal of NIAC's recommendations is to alleviate the risks of any 
    disruptions in infrastructures, which include everything from power 
    companies to telecommunications networks.
    
    The power of the potential failures was demonstrated this summer when 
    a widespread power blackout spread over the Northeast and when a 
    string of worms and viruses clogged Internet connections.
    
    Incidents can have widespread, unanticipated effects, said council 
    chairman Richard Davidson, chairman and chief executive officer of 
    Union Pacific Corp.
    
    The council's first set of recommendations will go to the White House 
    soon. Others will be ready early next year. 
    
    The work that has already been done will be extremely helpful for the 
    Information Analysis and Infrastructure Protection Directorate at DHS, 
    said Robert Liscouski, assistant secretary of the infrastructure 
    protection office.
    
    "The working group has identified a lot of the things that we've 
    identified as we're rolling out," he said.
    
    The nine proposed recommendations, presented by the Working Group on 
    Cross Sector Interdependencies and Risk Assessment Guidance at the 
    quarterly NIAC meeting last week, have several short-term and 
    long-term action items. 
    
    Consistency across sectors is a common theme running throughout the 
    recommendations.
    
    A critical step is for leaders of the critical infrastructures to name 
    a coordinator, the group said. The coordinator must be a full-time 
    position, "given the importance of this role and the magnitude of this 
    role," said Susan Vismor, senior vice president of strategic 
    technology at Mellon Financial Corp. and co-chairwoman of the working 
    group.
    
    The proposed recommendations focus on the policy, coordination and 
    management aspects of problem prevention and incident response, 
    because modeling interdependencies is a multiyear and 
    multimillion-dollar process, Vismor said.
    
    Once the recommendations are implemented, the working group plans to 
    report back to NIAC through a score card that measures progress on 
    each item. 
    
    The council also heard updates from working groups that are developing 
    a common vulnerability reporting methodology, attempting to improve 
    the implementation and use of information sharing and analysis centers 
    in every sector, and looking at the potential role of government 
    regulation in private-sector infrastructure security.
    
    Experts have discussed the need for common reporting metrics. The 
    shrinking cycle between a vulnerability's discovery and an attacker's 
    exploitation — the Blaster worm this summer had a cycle time of less 
    than a month — proves the need for immediate action, said John 
    Chambers, vice chairman of NIAC and chairman of the vulnerability 
    disclosure working group. 
    
    The working group's recommendations will go to the president in 
    January, but during the next four to six months, experts will develop 
    a common way to categorize vulnerabilities, because even organizations 
    within a single sector can't seem to agree on this issue. "A common 
    scoring method…will underpin the rest of the vulnerability disclosure 
    guidelines," Chambers said. 
    
    DHS officials are anxious to get the recommendations from the 
    information sharing and analysis center enhancement working group, 
    because that is a situation that the department is trying to address, 
    Liscouski said. 
    
    To determine how government regulation could assist in raising the 
    level of infrastructure security, the working group's recommendations 
    are "going to be extremely valuable to us," Liscouski said. 
    
    "This is probably one of the more critical areas that we're looking 
    at" because of all the attention from industry, Congress and agencies, 
    he said. 
    
    Responding to a direct request from President Bush in July, members 
    also formed two new working groups to examine how to rank sectors' 
    vulnerability to cyberattacks and determine how best to increase the 
    overall security of the Internet.
    
    ***
    
    Nine steps to better security 
    
    The United States should take nine steps to improve the security of 
    critical infrastructures, according to a working group of the National 
    Infrastructure Advisory Council.
    
    * Create similar reporting structures across the various critical 
      infrastructure sectors, such as energy and telecommunications.
    
    * Better define and publicize the role of sector coordinators.
    
    * Develop and test crisis management plans in each sector and across 
      sectors.
    
    * Create a cross-sector virtual command center to coordinate 
      interaction with the private sector during crises.
    
    * Take advantage of government-sponsored exercises to devise and test 
      response plans. 
    
    * Enhance public awareness of the nation's dependency on the Internet 
      and promote development of higher-quality software.
    
    * Establish consistent coordination among public and private emergency 
      management organizations.
    
    * Find ways to defray the financial burden of securing critical 
      infrastructures. 
    
    * Build on simulation and modeling technology created in national 
      laboratories to conduct infrastructure research.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Oct 21 2003 - 10:48:35 PDT