Cybersecurity task forces push for results

SANTA CLARA, Calif.--Five working groups formed at the National Cyber Security Summit released initial reports that focus on delivering concrete results within a year, task force leaders said Thursday.

The working groups have pledged to release white papers by March 1, 2004, that outline their recommendations for securing businesses and consumers and creating more secure software. The next meeting, tentatively set for September 2004, will be the deadline for each group to deliver at least some results.

"A concern is that if we were to meet in (a year), can we show progress?" said Mary Ann Davidson, chief security officer at database maker Oracle and the co-chair of the Technical Standards and Common Criteria Task Force, one of the five working groups. "Even if we make recommendations, we should prioritize, and one of the priorities should be showing results in a year or less."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The quick deadlines are a nod to the urgency expressed by policy makers and consumers. Critics have snubbed the United States' cybersecurity policy--the National Strategy to Secure Cyberspace--as largely voluntary and lacking regulatory prescriptions. The National Cyber Security Summit, sponsored by four industry associations, showed that businesses have at least taken some of the criticism to heart. The four organizations that sponsored the Summit were the Business Software Alliance, the Information Technology Association of America, the TechNet lobbying group and the U.S. Chamber of Commerce.

Security experts formed five groups to focus on specific problem areas: creating awareness in home computer users and small businesses; establishing a cybersecurity early warning system; making information security part of corporate governance; advocating technical best practices for security; and pushing security improvements into the software development process.

Despite the pressure to deliver, reigning in the groups to focus on concrete ideas that could be implemented quickly was a task, Oracle's Davidson said.

"It took us a while to home in," she said. "We had a number of people that said, 'I want to make the Internet a safe place.' Well, I want world peace, too, but you need to focus a bit."

Davidson's group focused on ways of expanding technical specifications and government evaluation programs to apply to more information technology products and give consumers a way to evaluate security products. Some sort of expanded certification could help them decide, she added.

"Right now, it's caveat emptor, but customers don't know what to emptor," Davidson said.

Moreover, software makers may be required to use certain types of tools to drum out well-known vulnerabilities automatically during the development process in order to qualify for certain levels of certification. The problem right now is that many of the tools don't exist or are expensive. Yet, a public effort to create such tools is needed to stamp out security flaws that crop up because of developer ignorance or mistakes.

"If we can stamp out small pox, why can't we get rid of buffer overflows?" she said.

The Corporate Governance Task Force has already released a 75-question survey for chief executives to take to their information managers in order to get a clear idea of the company's security. The group believes that the answers will offer a baseline snapshot of the security of the average U.S. business.

While producing visible results is important, a member of the Early Warning System Task Force stressed that the group wanted to make sure that the project was done right.

"Time lines are important and necessary, but people are coming together to build something new and necessary," said participant Gerhard Eschelbeck, chief technology officer of vulnerability assessment firm Qualys.

That group plans to create an advisory system that goes beyond the computer emergency response teams that currently warn people and companies of new vulnerabilities and major incidents.

"Early warning is not about identifying a new worm a few minutes before it hits but about a new flaw or threat before it happens," he said. "You want to spot the signs and signals leading up to the next attack."

One notable group of developers appeared to be left off the invitation list for the event, however. Red Hat, SuSE Linux and other Linux companies weren't represented in the work groups.

Oracle's Davidson conceded that future meetings should include Linux companies. "That's a point we need to consider," she said. "We need to make sure that if we are going to do this, that we also include open-source vendors."