DHS Takes a Stand on IT Security

The Department of Homeland Security (DHS) is engaging in a initiative designed to propel cyber security into the upper echelon of corporate governance. Already strongly supported by security companies, it is gaining ground among top IT companies as well as the business world at large.

“The private sector has to step up to its security responsibilities,” said Robert Liscouski, assistant secretary for Infrastructure Protection of the DHS. “A lot of people out there are willing to legislate how you do your work if you don’t rise to the challenge. Securing cyberspace is not a small effort. We are demanding the help of the vendor and academic communities.”

Instead of wielding the big stick, though, the government appears intent on mobilizing the IT world to popularize security. On December 3 DHS held a National Cyber Security Summit in Santa Clara, Calif. Its goal was to establish realistic and effective strategies for implementing the recommendations of the White House National Strategy to Secure Cyber Space released earlier this year.

The list of more than 300 attendees reads like a Who’s Who of the IT world. On the vendor side, it included Computer Science Corp. (CSC), Computer Associates (CA), Symantec, Microsoft, HP, Sun, Entrust, RSA Security, Oracle, Network Associates, Lockheed Martin, Science Applications International Corp., EDS, VeriSign, and Zone Labs. Government agency representation encompassed numerous elements of DHS, National Security Administration (NSA), Secret Service, Department of Justice (DOJ), the White House, National Institute of Standards and Technology (NIST), FBI, as well as representatives from state and local government.

The opening session was all about delegation of duties. Instead of government assuming the burden of securing the technology backbone, the onus was placed firmly on the private sector.

The reasons behind such an approach are obvious. DHS has to police 95,000 miles of US shoreline, 7000 miles of shared borders, over one million people a day entering the US as well as cyberspace. The enormity of the task is compounded by the fact that 85% of the infrastructure is owned and operated by the private sector. Plus, the electric grids, banking system and all other aspects of the nation’s backbone are technology based, and present an attractive target to terrorists.

“We are not going to let anyone in government or the private sector dodge their responsibilities to cyber security,” said Liscouski. “We want to see results, and I will be sticking my finger in the chest of anyone failing to step up.”

But Liscouski conceded that government-led solutions are not typically the ones people follow. In his view, industry-led initiatives have a better chance of gaining broad agreement and support.

Task Forces Formed

At the Cyber Security Summit, DHS organized the private sector into a series of task forces aimed at various aspects of cyber security.

“We are a nation at war and that requires better collaboration between the public and private sectors,” said Amit Yoran, the director of the DHS National Cyber Security Division. “These partnerships have been initiated to take certain aspects of national cyber security strategy and transform them into effective action.”

To achieve this, the DHS has organized a series of five task forces:

Awareness for Home Users, Small Business and Local Government Task Force

Initially, this task force was focused on home users and small businesses, but its scope has been extended to include state and local governments. It’s members include representatives of the Federal Trade Commission, AIG, eBay, Microsoft, Network Associates, American Bankers Association, Symantec, RSA Security, US Chamber of Commerce, Lockheed Martin, Carnegie Mellon and the Secret Service.

“The summit has exceeded all our expectations by gathering together outstanding talent and fostering a commitment to making our actions meaningful,” said Howard Schmidt, co-chair of the task force, and chief information security officer at eBay.

Schmidt laid out the initial actions to be taken: explain security problems in simple terms; assign individual responsibilities for security; and linking cyber security concerns with those of personal privacy. At the government level, he stressed that state and local agencies have an economic as well as a public safety issue to address.

By making the Internet secure, governments can engender confidence in e-commerce in their respective areas, and also help prevent economic collapse due to cyber threats.

William Pelgrin, New York director of Cyber Security and Critical Infrastructure, a member of the task force, sees awareness as an integral part of improved security.

“Cyber security needs to become as commonplace as the use of a seatbelt,” said Pelgrin. “All state and local employees should receive cyber awareness training, and such programs have to be pushed from the top.”

Corporate Governance Task Force

The corporate governance task force deals with cyber security roles and responsibilities within the corporate management structure. Its members include Entrust, RSA Security, VeriSign, Software and Information Industry Association, IT Governance Institute, Intel, IBM, and Notre Dame University.

The task force is advocating stronger security governance programs that would require large companies to work with suppliers and smaller partners to put such programs in place by adopting proper security practices.

“If one company has poor security procedures, it puts all of its partners at risk,” said Art Coviello, co-chair of the Corporate Government task force and CEO of RSA Security. “That’s why we have to elevate this issue to the CEO-level. We can drive collaboration between the public and private sectors via corporate governance.”

Cyber Security Early Warning Systems Task Force

This task force is charged with improving the sharing, integration and dissemination of information about vulnerabilities, threats and incidents. This body will work closely with CERT (the Community Emergency Response Team at Carnegie Mellon University) to improve the level of warning and response to incidents. Members include Department of Justice, SAIC, Indiana University, SBC, Information Technology Association of America, Bank of America, U.S. Military Academy and HP.

“We are doing this because it is the right thing to do, not because there is a threat of legislation if we don’t do it,” said Guy Copeland, task force co-chair, and Special Advisor to the CEO of CSC. “This is a real opportunity to serve our country, as well as our own interests by using enhanced security to maximize the business value of the Internet.”

Security Across the Software Development Life Cycle Task Force

This group is considering ways of reducing vulnerability by monitoring the entire software development lifecycle. Members include CA, Business Software Alliance, NSA, House Science Committee, Intel, Software Engineering Institute, AT&T Wireless, BellSouth and SAP.

Its scope encompasses four main areas:

  • Education and certification aimed at placing security at the heart of the software development process.
  • Best practices to reduce defects in both the development process and final product.
  • Patch management.
  • Incentives for a culture of security.
  • Technical Standards and Common Criteria Task Force

    This task force deals with new tools, technologies and practices that can reduce vulnerabilities at every level — from the federal government down to the home user. Members include National Institute of Standards and Technology (NIST), Stanford University, Dow Chemical, State of Louisiana, Union Pacific and Lucent Technologies.

    “From a system-admin viewpoint, you have to make it easy to be able to configure different products securely,” said Ed Roback, chief of the Computer Security Division at NIST. “We are planning to put together a central repository for data on security of systems and configurations for the various levels of security.”

    Several speakers cautioned that the work of the task forces should not merely set up another strata of bureaucracy or another catalog of unnecessary meetings. But whatever the eventual impact of the summit and its resultant groups, one thing is clear: the DHS has captured, for now at least, the imagination of the private sector and has mobilized them into a body that could have a major impact on the level of cyber security in the country as a whole.

    “I am encouraged by the impassioned dialogue of the summit,” said DHS’s Yoran. “While this is not the only activity supporting the national strategy, it is one facet of our ongoing actions and an important one if we are to secure America from cyber-attack.”