[ISN] Panel must narrow cybersecurity scope

From: InfoSec News (alerts@private)
Date: Tue Nov 06 2007 - 03:04:50 PST


http://www.fcw.com/online/news/150696-1.html

By Jason Miller
FCW.com
November 5, 2007

A new blue-ribbon panel that will develop cybersecurity recommendations 
for the next president faces a compressed schedule and the challenge of 
agreeing on a cybersecurity agenda that it wants the next administration 
to address.

Experts say cyberthreats from terrorists, organized crime and other 
countries lack a common thread and instead stem from a variety of 
vulnerabilities, including insufficient training, technology weaknesses 
and a culture of Internet use that puts the public and private sector at 
risk. For those reasons, the most obvious recommendation for improving 
basic cyberdefenses is the hardest to accomplish, said Glenn Schlarman, 
former branch chief at the Office of Information Policy and Technology 
at the Office of Management and Budget.

The Center for Strategic and International Studies (CSIS) organized the 
Commission on Cyber Security for the 44th Presidency and outlined its 
objectives at an Oct. 31 briefing.

“We want to give the next administration new ideas or policies that they 
can pick up and run with,” said Jim Lewis, director of CSIS’ technology 
and public policy program. “This is a threat that is growing and putting 
our critical infrastructure and financial systems in peril. People are 
attacking the U.S. in better and smarter ways, and we need to become 
better and smarter to deal with them.”

Some experts maintain that security measures should address widespread 
problems.

Schlarman said “nearly every example of something bad that happened — 
even the Chinese having their way with defense systems — has not been 
rocket science but poor security practices. We still do not correct 
commonly known vulnerabilities in information systems. The problem is 
poor hygiene. There is not some new dirt that we have to get out.”

Schlarman and some other experts who are not on the panel said they 
support its goals, but they said the panel should narrow its scope to be 
effective.

“When you think about information security, there are three main areas 
to look at: prevention, detection and response,” said Daniel Castro, 
senior analyst at the Information Technology and Innovation Foundation. 
“Right now, it is not very clear that the U.S. is doing any of these 
very well.”

CSIS named Reps. Jim Langevin (D-R.I.) and Mike McCaul (R-Texas), 
chairman and ranking member, respectively, of the Homeland Security 
Committee’s Emerging Threats, Cybersecurity, and Science and Technology 
Subcommittee, as co-chairmen. Scott Charney, vice president at 
Microsoft’s Trustworthy Computing Group, and retired Navy Adm. Bobby 
Inman, a professor of national policy at the University of Texas at 
Austin, will represent industry as the panel’s co-chairmen.

The 31-member commission, which includes former federal officials and 
industry leaders, will hold five plenary sessions to discuss an agenda. 
The first one is scheduled for this week. The panel plans to submit 
recommendations to the next president by December 2008, Langevin said.

The commission will offer a blueprint for securing cyberspace, Langevin 
said. “My philosophy as subcommittee chairman is that we are such a free 
and open society that it is very difficult if not impossible to secure 
the Internet. My objective is to identify the most severe 
vulnerabilities and close them.”

Larry Clinton, president at the Internet Security Alliance, said the 
commission’s goals are laudable, but he questioned how it will come up 
with concrete recommendations in such a short time.

“This is the latest in a series of groups trying to do this,” Clinton 
said, referring to the Partnership for Critical Infrastructure Security, 
which for the past six years has been trying to coordinate cross-sector 
initiatives to safeguard critical infrastructure services. “This isn’t 
easy because, if it was, it would have been done. They have a very 
ambitious schedule.&am p;rd uo;

Lewis said the commission will benefit from its members’ familiarity 
with one another and with the challenges.

“We want to agree on a set of principles that will guide our 
recommendations,” said Bruce McConnell, president at McConnell 
International and a member of the panel. “That will help us on a lot of 
the specifics,” such as assessing current and future threats, reviewing 
authorities and policies, and evaluating requirements for critical 
infrastructure protection.

The commission also will tackle software assurance and ongoing security 
initiatives in the private and public sectors.

“Since Sept. 11, 2001, the focus has been on physical security threats 
and we have paid little attention to cyberthreats,” McCaul said. “A 
digital Pearl Harbor [could be] a reality.”

Langevin added that the next administration would be unwise to ignore 
the commission’s recommendations.

“There is an opportunity when a new administration comes in, and that is 
our hope,” Lewis said. “The threat is growing, and we have to figure out 
how we organize ourselves to deal with it.”



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Tue Nov 06 2007 - 03:20:47 PST