A two-pronged approach to cybersecurity

The U.S. government's new cybersecurity czar, Amit Yoran, says security levels still fall short.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
In September, Amit Yoran became the United States' top cybersecurity defender.

Against a backdrop of new challenges from increasingly sophisticated hackers, Yoran is responsible for preparing the government's response to any major cyberattacks.

There are some things we need to do that are strategic and long-term in nature. In addition, a number of very short-term and tactical initiatives can start us down that road.
This is the second tour of government duty for Yoran, who once headed vulnerability assessment at the Department of Defense's Computer Emergency Response Team (CERT) and managed the Pentagon's network security. In the interregnum, he started and then sold a services company to security software maker Symantec.

As director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection Directorate at the Department of Homeland Security, Yoran has a big title. Still, he can't make things happen by federal fiat, and the success or failure of the government's National Strategy to Secure Cyberspace hinges on private sector buy-in.

That's why he's in Silicon Valley this week, where he plans to talk with companies about how the United States can better handle future cybersecurity attacks. He spoke with CNET News.com before heading out.

Q: Is cyberterrorism a big worry to you?
A: Terrorism occurs throughout the cyberdomain. (Terrorists) use the cyberinfrastructure to inflict their operation, or their operation targets the cyberdomain. Those two may qualify as cyberterrorism, but I don't think it warrants its own definition. I think it is something we need to be cognizant of. I don't think the countermeasures one would put in place for cyberterrorism differ that much from the measures to protect against other threats.

Many people are waiting for the National Strategy to Secure Cyberspace to bear some fruit. What will your role be in getting that done?
The president has identified the Department of Homeland Security--and Secretary (Tom) Ridge has identified the cybersecurity division--as the focal point for the coordination and implementation of the National Strategy. Its underlying theme is for a very strong public-private partnership to go forward and execute in a number of different areas to deliver better security to the country on many different fronts.

I have been very encouraged during my first 30 days here.
The government has already initiated action on the National Strategy. Other components of the national strategy clearly call for action on the private sector's part or for a coordinated partnership effort between the public and private sectors.

To what degree have companies stepped up to the plate and delivered the level of security for which the National Strategy calls?
I don't believe that that security level has yet been achieved--nor do I think that it is realistic for us to expect that that level would have been achieved. However, I will say that I have been very encouraged during my first 30 days here. I have also been very encouraged by the willingness of the private sector to engage and assist and participate in the work that needs to be accomplished. So, have we achieved the desired level of security? The answer is no. But are we making progress down that road? My belief is that we are.

What do you think you can do to stop or prevent attacks such as Code Red, Nimda, Slammer, Sobig and MSBlast?
There are some things we need to do that are strategic and long-term in nature, such as the advocacy and creation of better software development processes and better software engineering. In addition, a number of very short-term and tactical initiatives can start us down that road. Those include a better-facilitated response infrastructure, making sure that when a new virus, worm or other vulnerability is discovered, we have some coordination for that effort.

We have some national-level focus on that effort. We have the

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

appropriate players--the owners of the critical infrastructure, the software developers, the people who operate these systems--at the table. We know how to communicate with them. We have a secure communications infrastructure to provide them timely guidance, advice, assistance and information for action.

So, when you look at the issues we face, you have a two-pronged approach: You have these long-term strategic initiatives we think will ultimately solve the problems. But several tactical step-one, step-two things can make near-term tangible operational improvements in cyberspace.

What do you hope to accomplish during your tenure at the Homeland Security Department?
To have the United States and the cyberinfrastructure be in a more secure state. And I know that's a very open-ended response, but if we are looking to measure results over a longer term, that might be the appropriate yardstick.

Short-term goals include improving our response time, improving our coordination with various critical infrastructures, improving cybersecurity awareness and improving our national response system. Ultimately, I'd like to see significant improvement in the United States' homeland security and cybersecurity.