Cybersecurity agenda for the next president
Cybersecurity is not a technical issue, but a matter of culture, education, and self-interest; government cannot regulate information technology security, and industry cannot do the job by itself
The U.S. cyber infrastructure has been under almost constant attack for a while now, and is currently at greater risk than eight years ago. A group of experts and legislators have come together to make sure that cybersecurity has a high priority in his or her administration. The Commission on Cyber Security for the 44th Presidency, set up in November by the Washington, D.C.-based Center for Strategic and International Studies (CSIS), held the second of five planned public meetings last week to hear recommendations on issues of information security, identity theft and government leadership. GCN’s William Jackson writes that panelists said that cybersecurity is not a technical issue, but a matter of culture, education, and self-interest. Government cannot regulate information technology security, and industry cannot do the job by itself. Forging the public/private partnership needed to provide adequate security will require leadership in both government and industry. Cooperation between the two spheres may not be easy to come by, said John Koskinen, who spearheaded the government response to the Year 2000 Transition. “The private sector is always nervous about what the government is up to,” Koskinen said. Business deals with security in terms of business cases and managing acceptable risk, while government tends to deal in regulatory absolutism. And information sharing is always a challenge. The advice of corporate general counsels is generally “Don’t tell anybody anything.” The Y2K transition showed that effective cooperation is possible if government acts as a catalyst to establish priorities and bring different sides together, he said.
The nonpartisan think tank established the commission “to develop recommendations for a comprehensive strategy to improve cybersecurity in federal systems and in critical infrastructure.” Its goal is to have a package of recommendations ready for the next president by November. Cybersecurity will be competing with numerous other domestic and international, economic, security and political issues for the presidential transition team’s attention. Establishing it as a high priority will require putting it on the legislative and policy agenda from the beginning of the administration, organizers say. Co-chairmen of the group are the former director of the U.S. National Security Agency, Lt. Gen. Harry Radeuge; Scott Charney, vice president of trustworthy computing at Microsoft; Representative Jim Langevin (D-Rhode Island), chairman of the Homeland Security Subcommittee on Emerging Threats, Cyber Security and Science and Technology; and ranking Republican Representative Michael McCaul of Texas. Members of the commission include Amit Yoran, formerly top cybersecurity official at DHS; Orson Swindle, formerly of the Federal Trade Commission; and Marty Stansell-Gamm, former head of the Department of Justice’s computer crimes division; in addition to a number of industry executives.
There was not complete agreement among panelists on cybersecurity priorities. They agreed that a single national data breach notification law is needed to replace the current patchwork of forty-plus state laws. Although Lisa Sotto, a partner at the law firm Hunton and Williams, called for federal preemption of state laws, David Mortman, chief information security officer-in-residence at Echelon One, wanted federal law to set a baseline for breach notification without precluding stiffer state requirements. Julie Ferguson, vice president of emerging technology at Debix, called for a zero-tolerance policy for identity theft enforced by required verification of online transactions with consumers. Jay Foley, founder of the Identity Theft Resource Center, called for creation of a national death registry and for the Social Security Administration to create a database tying Social Security numbers with dates of birth to help prevent misuse of the numbers even though efforts are being made to stop their use as a unique personal identifier. Pamela Fusco, executive vice president of security solutions at Fishnet Security, said she wanted to establish an International Data Classification Standard that could help identify and assess value and risk to data. This would improve business practices and help put teeth in government regulation, she said. “Information is not being identified as essential,” Fusco said. “We’re protecting machines, we’re protecting access,” we have not developed standard ways to classify and prioritize the information that underlies them.