Locking down America's Net defenses
Andy Purdy, acting director of DHS' National Cyber Security unit, says that though progress has been made in protecting the Net, the work isn't done.
We'll soon find out, says Andy Purdy, acting director of the National Cyber Security Division of the Department of Homeland Security.
Last week, Purdy oversaw the first large-scale mock cyberattack, aimed at gauging the nation's readiness to handle computer-based threats to critical infrastructure.
The weeklong exercise, dubbed "Cyber Storm," came three years after the Bush administration signed off on the National Strategy to Secure Cyberspace. Results of the exercise will be made public this summer.
In the meantime, though progress has been made on the government's strategy for protecting the Internet and securing information systems, the work is not done, a panel of security experts said at the RSA Conference 2006 here on Tuesday.
Purdy was one of the panelists. He sat down with CNET News.com to discuss the nation's preparedness for cyberattacks and what should be done to help defend critical infrastructure.
Q: In a nutshell, can you describe the National Strategy to Secure Cyberspace? What's it all about?
Purdy: The strategy really told Americans what needs to be done to help secure cyberspace. It articulates high-level priorities for action. At DHS we try to implement those priorities. From that we developed our mission, in collaboration with our public and private partners, to secure cyberspace and America's cyberassets.
What kind of tangible things have actually been achieved over the past three years?
Purdy: Priority one was to build an effective national cybersecurity response system. I believe we have built that capability. In fact, during last week's Cyber Storm exercise, we tested and worked through communications paths and processes for responding to significant malicious cyberactivity.
The response system, is that the Computer Emergency Response Team, CERT, for example?
Purdy: It is really a combination of capabilities. Our US-CERT, which is the partnership between DHS and public and private sectors, is the operational piece of what we do to try to prepare for and respond to significant cyberactivity. That's a key component of the cyber response system. What we have done is we have leveraged the capabilities of the U.S. government from a cyberdefense perspective. We brought together the capabilities of situation awareness, response and recovery, so that we can work effectively together to help reduce those cyberrisks.
You mentioned the Cyber Storm exercise you had last week. What does such an exercise entail? Is there an easy way to describe what you do when such a thing goes down? Do you try to mimic an actual attack?
Purdy: The Cyber Storm exercise included players from government at the federal, state and international level and key private sector participants to work through what would happen if there were significant cyberattacks that disrupted or impacted the energy and transportation infrastructure and targeted federal, state and international governments with the intent of disrupting those government operations. It basically tested and practiced how the different entities would respond to understand what was happening, attribute the source of it and help provide actionable guidance to help reduce the impact of that activity.
Have you been able to determine whether we are actually well prepared for this, or is there much that needs to be done?
Purdy: We believe that we have a robust national cybersecurity response system. However, we recognize the need to enhance that system to more effectively prepare for significant cyberattacks or the cyberconsequences of physical attacks or natural disasters. There were 115 public, private and international organizations participating in the Cyber Storm exercise, most of them working from their regular place of business in 60 locations across the country and a number of other countries.
Do you have the results of the exercise?
Purdy: It is a laborious effort to understand who said what to whom and when, to understand how well the communications paths and processes really worked. We expect that that effort will culminate in a report in the summer that we will be making public.
Was this exercise really about knowing if our information sharing works or was this about knowing if our defenses work?
Purdy: Because it was a simulated series of attacks, it did not involve attacks on real networks. It wasn't testing the ability to actually stop attacks. Instead, it was testing the communications paths and processes that would be used by the cybersecurity community, law enforcement, the intelligence community, the Department of Defense and the private sector in responding to significant attacks.
What do you think about our ability to actually defend against an attack. How well prepared are we to defend ourselves against one?
Purdy: As President Bush said last week, America remains at risk. We remain at risk from both a physical and cyber perspective. In other words, malicious actors can attack our critical infrastructures and cause disruption. We are working to help mitigate the significance of those disruptions. We don't have perfect defenses; we recognize that these are risks we have to mitigate, and this Cyber Storm was an effort to help advance that.
Do you have any recommendation for what government, companies and even individuals should do to help us protect the national infrastructure against cyberattacks?
Purdy: The national strategy really lays out the call to action as to what folks need to do. For example, in the area of consumers, we're trying to raise awareness and we're doing so in partnership with the National Cyber Security Alliance and the Federal Trade Commission as to what folks need to do to help secure their systems. We're working closely with law enforcement, in addition to helping make sure that information that can be shared is shared about malicious activities and those who commit cyber-related crimes, to make sure those efforts are investigated and the individuals prosecuted.
Do you have any advice for ordinary consumers? Do you think they can help out--are they part of this link to protect the national infrastructure, or do they not matter that much when it comes to that?
Purdy: I think consumers and small businesses and large enterprises and the government are all important when trying to reduce the cyberrisk. We're trying to raise awareness with partners of the responsibility and techniques consumers can use to help secure their systems. Some of the traditional techniques they have heard a lot, but it is important to re-emphasize them. To make sure they have a firewall and it is turned on, they have antivirus protection and it is updated, that they have anti-spyware protection and that's updated, make sure their operating systems are updated, make sure you don't open e-mail from strangers and don't open attachments from anyone unless you're expecting it.
It is critical that they secure themselves to help secure others. It is possible with malicious code that can get implanted on computers that the computers of tens of thousands of home users can be used to launch attacks, unwittingly to the consumer, that can harm other consumers and harm government and the private sector.
Is it straightforward enough for consumers to stay secure online these days?
Purdy: I think it is important for consumers to go to Web sites like StaySafeOnline.org and US-Cert.gov and diligently follow the steps in that advice. It is important, though, for businesses to make it easier for consumers to do that. There are a number of different steps, a number of different technologies, to the extent that there can be more of a one-stop shop, one-stop solution, that is going to help make it easier for consumers who recognize the problem to address the problem. But there are enough tools now that consumers should be able to protect their systems. And they have to recognize that it is not just protecting their systems; it is protecting their personal information that may be on their computer, and it is making sure their computer isn't used to harm someone else.
When it comes to business, legislation that requires compliance or data security breach notification has come up in various states and is making its way through Congress. Some requires business to use some security software. Do you think legislation to require security is the way to go?
Purdy: As a general proposition we would rather avoid a mandatory, regulated solution to cybersecurity challenges. As in all issues of risk mitigation, the Department of Homeland Security sees legislative, regulatory solutions as a last resort. There are some instances, where, for example, in the chemical sector, the department has weighed in in favor of some regulation.
What keeps you up at night?
Purdy: As I mentioned before, we believe that cyberrisk is an important part of the risk we need to mitigate. The greatest potential disruption would be sophisticated, organized, well-financed attackers who wanted to cause large-scale cyberattacks. That kind of an eventuality is one that is on my worse-feared list. I am not saying it is most likely feared, it is most feared.
Do you believe in cyberterrorism?
Purdy: The approach to risk mitigation is very different (now) than before the National Strategy. There was a tendency to look at the threat and the information we have about the intent and capability of those who would harm us. After the national strategy and under Secretary Chertoff's risk management agenda, we're focused on risk, which is a combination of threats, vulnerabilities and the consequences if those vulnerabilities were exploited. Because we don't have specific threat information of terrorist groups wanting to and intending to launch cyberattacks against us, we nonetheless recognize that there is cyberrisk.
We're not going to wait until we have specific threat information and we could not respond quickly enough; we're trying to mitigate the most significant risks now. If and when we get specific threat information, we can use that to help mitigate risk that is attendant to that specific threat.
