[ISN] Yoran: Locals must lead IT security

From: InfoSec News (isn@private)
Date: Fri Apr 30 2004 - 00:30:31 PDT

  • Next message: InfoSec News: "[ISN] Hack Your Way to Hollywood"

    http://www.fcw.com/geb/articles/2004/0426/web-secure-04-29-04.asp
    
    By Diane Frank 
    April 29, 2004  
    
    Local officials must take the lead in securing the information 
    infrastructure within their jurisdictions, but the Homeland Security 
    Department is standing by ready to help, according to Amit Yoran, 
    director of the department's National Cyber Security Division.
    
    Cybersecurity is still several steps behind physical security when it
    comes to the attention and priority of officials at all levels of
    government, officials stressed at the midyear conference of the
    National Association of State Chief Information Officers in Chicago.  
    One of the most worrying examples of this is the lack of mention of
    information infrastructure in grants guidance from DHS' Office of
    Domestic Preparedness, said Randy Potts, the chief information
    security officer for Nevada.
    
    "It has been all about boots and suits for a very long time," agreed
    Aldona Valicenti, the former president of NASCIO and CIO of Kentucky,
    now with Oracle Corp. She urged Yoran to use his and other's political
    influence to make cybersecurity more visible in the official language
    and requirements for homeland security at the federal level.
    
    Some states are already putting cybersecurity among the top issues on
    their homeland security lists. Indiana has created three task forces
    for particularly urgent areas within the state: agriculture,
    transportation and cybersecurity.
    
    The cybersecurity task force has taken a bit longer than the others to
    get off the ground because of confusion over where the industry
    viewpoint fits in, said Clifford Ong, homeland security director for
    Indiana. "We haven't really defined the population or what it is we
    want to try to do," he said.
    
    However, the state has already dedicated $1 million to an intrusion
    detection system for all of the state's information networks while the
    task force gets going, Ong said. The guidance for passing on federal
    homeland security grant funding to local jurisdictions also includes a
    requirement that cybersecurity must be involved in the solution, he
    said.
    
    At the federal level, the NCSD and its parent organization, the
    Information Analysis and Infrastructure Protection Directorate, are
    doing what they can to make sure that the physical experts are also
    thinking about the cyber vulnerabilities and consequences, Yoran said.
    
    Exercises seem to be one of the best ways to foster this type of
    broader understanding, said Stuart McKee, CIO for the state of
    Washington. The TopOff exercise conducted in part of that state last
    year significantly changed the perspective of many officials about the
    importance of cybersecurity, and that change has lasted, he said.
    
    There are further exercises planed - DHS just announced TopOff 3 will
    take place in April 2005 - but even for smaller-scale exercises the
    division is working with the rest of the department "to make sure that
    noncyber exercises incorporate or include some form of cybersecurity
    thinking," Yoran said.
    
    The department's resources and expertise in local issues are limited,
    but Yoran said he would love to do regional or local exercises. The
    key will be for officials at the state and local levels to get the
    ball rolling, determine what their needs are and what they want to get
    out of the exercise, and then DHS "would be happy to participate," he
    said.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Fri Apr 30 2004 - 11:39:53 PDT