X

Tech industry put on security notice

Bush administration officials praise industry efforts to create security programs--but pledge that if those initiatives fail, legislation will soon follow.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
SANTA CLARA, Calif.--At first blush, the National Cyber Security Summit had all the makings of a tech industry love fest.

The Summit, put on by four pro-business organizations, had major officials from the Department of Homeland Security praising industry-led initiatives and promising to forestall any legislation.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


Yet, while the government officials--including department Secretary Tom Ridge and Robert Liscouski, assistant secretary for infrastructure protection--said they would go to bat for industry efforts to better corporate network security, they warned that companies better not strike out.

"There should be no mistake about where we stand," Liscouski said during a press conference at the summit. "We are not going to let anybody who operates in this space dodge their responsibility, and I will be sticking my finger into people's chests to make sure they live up to their responsibilities."

While some security experts have criticized the Bush administration's plan to protect the Internet, known as the National Strategy to Secure Cyberspace, Liscouski and other officials stressed that the policy document was just a guideline to help secure the Internet and that supporting legislation could be one way that the Department of Homeland Security could hold companies' collective feet to the fire.

"The National Strategy didn't call for specific pieces of legislation," said Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security. "That does not mean, however, there is no role for legislation."

Audiocast
arrow SonicWall's CEO shares his view on The National Strategy to Secure Cyberspace
play audio

The tougher stance answered many critics' calls for legislating responsible security measures for businesses, in much the same way that the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) set data security standards for companies. At least one study has indicated that such legislation is a primary driver in corporate information security spending.

Liscouski promised to head off legislation and let companies have a first stab at the problem. "I can be your advocate to everyone who wants to put legislation on the block to make you do your jobs," he said during a morning keynote speech.

By midday, however, Liscouski was taking a less amiable tack. "This is not the (Department of Homeland Security) advocating the industry's message," he said. "This is a partnership. It is not about ensuring that the industry gets its own way."

The Department of Homeland Security has marked the security of the Internet and e-commerce infrastructure as a top priority.

"Terrorists know that a few lines of code could, ultimately, wreak as much havoc as bombs," Ridge said during his keynote speech. "The enemies of freedom use the same techniques as hackers do. We must be as diligent and determined as hackers are."

While most security professionals have dismissed predictions of "cyberterrorism" as the stuff of fiction, they haven't denied that cyberattacks are a serious threat for businesses. Eric Benhamou, chairman of network provider 3Com, pointed to the MSBlast worm and Sobig virus that hit companies hard this past summer as a wake-up call for even the least security-conscious companies.

"The pain level experienced by companies due to cyberattacks has increased sharply to the point that it can't be ignored," he said.

Uniting to push security
The four organizations that sponsored the Summit--the Business Software Alliance (BSA), the Information Technology Association of America, the TechNet lobbying group and the U.S. Chamber of Commerce--brought together five groups of company executives and security professionals to hammer out proposals in five different areas.

The five task forces focused on creating awareness in home computer users and small businesses, establishing a cybersecurity early warning system, making information security part of corporate governance, advocating technical best practices for security, and pushing security improvements into the software development process.

The four organizations said that educated companies will do the right thing and secure themselves, and it should not just be about selling technology. "Cybersecurity is not just a technology issue, but an issue that should be considered across the corporation," said Robert Holleyman, CEO of the BSA.

Most companies should already be having security discussions at the boardroom level, said Art Coviello, CEO of digital security company RSA Security and co-chairman of the Corporate Governance Task Force. "CEOs are already on the hook for (their company's security), whether they know it or not...I don't need Sarbanes-Oxley to know that I have a fiduciary responsibility to protect my networks."

TechNet, a lobbying group in Washington, D.C., that represents the technology industry, released a 75-question evaluation for companies to allow their chief executives to find out the state of security in their companies. The four groups said that such tools should give them the ability to gauge the progress of the industry to secure itself.

Assistant Secretary Liscouski, former director of information assurance for Coca-Cola, seemed to think the task forces were moving in the right direction. In any event, he seemed reluctant to be part of the boardroom again.

"Government is not going to sit on the board of a company to make sure they are doing the right thing," he said. "If they can't step up to the plate, we have other measures. However, at the end of the day, that's not where we want to be."

The goal, Liscouski stressed, is not to regulate but to secure the industry.

"We do not want what we fear: a catastrophic cyberattack or a catastrophic physical attack enhanced by a cyberattack," he said. "We are not going to sit back and let another event occur."