Security groups call for education, alert systems

Two government industry working groups released reports Thursday, recommending that the U.S. public and private sectors work together to teach children online ethics, help small businesses secure themselves and create incident and advisory networks.

"Today's announcement is the equivalent of national leaders telling every driver to wear football pads and helmets and tie themselves to the seat backs, because the automobile manufacturers won't build in seat belts and air bags and better bumpers, and because there are a lot of dangerous drivers on the road." --Alan Paller, the SANS Institute

The Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force are two of five groups formed by the National Cyber Security Partnership, an industry and government alliance aimed at finding ways to improve cybersecurity without resorting to legislation. The task forces' reports are the first proposals the group released; three more reports are due in coming weeks.

"We consider these recommendations to be a good starting point," said Guy Copeland, vice president at technology contractor Computer Sciences. "This is a dedicated group of volunteers presenting some hard thoughts on how to secure our information infrastructure."

The task force recommendations come almost four months after industry and government officials met to discuss how a partnership could improve the nation's overall cybersecurity and more than a year after the Bush administration released the final draft of the National Strategy to Secure Cyberspace.

Some security experts criticized the proposals as a way for companies to dodge any responsibility for the morass of security issues that plague firms and people on the Internet, a charge similar to that leveled against the National Strategy to Secure Cyberspace, which recommends that each Internet participant learn to secure his or her portion of the online domain.

"The average user will never become the kind of expert needed to protect himself or herself against the attacks being launched today," Alan Paller, director of research for the SANS Institute, said in a statement. "Today's announcement is the equivalent of national leaders telling every driver to wear football pads and helmets and tie themselves to the seat backs, because the automobile manufacturers won't build in seat belts and air bags and better bumpers and because there are a lot of dangerous drivers on the road."

"We want to have everything a person needs to protect their system, such as a personal firewall. Something my 87-year-old dad can deal with and not be confused about." --Howard Schmidt The Awareness and Outreach Task Force

The reports are the latest efforts by private industry, which owns and operates nearly 85 percent of the critical infrastructure in the United States, to convince Congress to refrain from introducing legislation that would mandate a solution to companies' security woes. The working groups, founded in December during the first National Cyber Security Summit, were formed largely to forestall a bill that would have required companies to release the results of a security audit in their quarterly filings to the U.S. Securities and Exchange Commission.

Federal agencies are graded on their information security under the Federal Information Security Management Act, which establishes detailed security regulations for agencies to follow. Private companies have no such obligations.

The Awareness and Outreach Task Force was initially charged with finding ways of increasing awareness of online threats and good security practices among home users and small businesses. In order to better support the National

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Strategy to Secure Cyberspace, however, it broadened its focus to include educating larger organizations, along with state and local governments, said Howard Schmidt, co-chairman of the task force and a former top White House cybersecurity official.

Much of the working group's focus is on strengthening the weakest link in Internet security--the users--by educating and providing simpler security tools.

"Computers are designed to run code, and as long as there are bad guys out there, end users will have to learn to protect themselves," Schmidt said. In his current role as the chief security officer for online auctioneer eBay, Schmidt frequently has to deal with the security costs of having a large number of users who aren't aware of online security issues.

The working group's recommendations are split between education and more proactive initiatives.

For small businesses, the report proposes that a security guidebook be developed to teach the best practices in security but also suggests that industry should encourage the creation of incentives, such as insurance, that could reward businesses that improve their security.

A national public service campaign could help educate consumers on cybersecurity, while a security tool kit would help the tech-illiterate protect themselves from Internet attack, Schmidt said.

"We want to have everything a person needs to protect their system, such as a personal firewall," he said. "Something my 87-year-old dad can deal with and not be confused about."

Large companies haven't escaped the attention of the working group, either. The group suggests that September 2004 be designated Cyber Security Month, that a direct mail campaign target the top executives at the largest 10,000 companies in the United States with security messages and that regional homeland security forums be held in partnership with the Department of Homeland Security.

The task force also recommends that the government start educating American citizens about cybersecurity from a young age, advocating teaching kids about appropriate cybersecurity and online behavior. In addition, the report proposes that the Homeland Security Department clone its forums for university presidents.

The second working group, the Cyber Security Early Warning Task Force, also released its initial recommendations Thursday.

The group proposed that a public-private network be created to give early warning to information managers and network administrators of possible attacks. The so-called Early Warning Contact Network, or EWAN, would share information on incidents and vulnerabilities between vetted professionals.

The network would distribute information in four ways, through daily status conference calls, online alerts, analysis of threats and a means to coordinate calls between managers responsible for networks and infrastructure.

The group aims to have an initial working version of the network in October, with the network going into regular use by the end of 2004.

The task force also proposed the creation of a National Crisis Communications Center, modeled on a concept currently used in the telecommunications sector. Each major player in the Internet world would have a representative in the NCCC that would facilitate communications during a cyberattack or other crisis.

The NCCC would conduct training exercises, offer advice on current national cybersecurity issues and share intelligence on current threats. The task force recommended that Congress consider the concept over the next two years and pass legislation to create the center in 2005.

A third report, on technical standards, will be released March 31, and two final reports, on improving software development practices and on ways of making boardrooms more responsible for information security, will arrive April 6.