Cybersecurity Experts Urge Action
SANTA CLARA, CALIFORNIA -- Flanked by two senior officials from the U.S. Department of Homeland Security, Amit Yoran, the newly appointed director of the National Cyber Security Division, made his first major policy address since joining the department less than three months ago.
Yoran made his much-anticipated remarks Wednesday at the inaugural DHS National Cyber Security Summit, referred to jokingly by Tom Ridge, secretary of homeland security, and Robert Liscouski, assistant secretary for infrastructure protection, as "Amit's coming out party."
If there was a central theme that ran through the remarks of all three DHS officials, it was the need to create a sense of urgency, to start taking action on tough issues facing cybersecurity at all levels of society, and to begin to think differently about future threats to the nation.
Power of Perception
Yoran, the former director for vulnerability assessment at the Defense Department's Computer Emergency Response Team and former vice president for worldwide managed security services at Symantec, said the nation could be witnessing "just the beginning of what could become a critical national weakness."
He compared the IT community's perception of future cyberterrorist threats to the early days of military air power, when most military thinkers dismissed the use of air power in war as ineffective.
"We need to be thinking about how today's advances in cyberspace can be turned against us," said Yoran. Even though most cyberattacks have so far proved unsophisticated and have been predominantly criminal in nature, "we cannot count on that forever or even for long," said Yoran. He was referring to the threat of terrorist-sponsored, coordinated attacks on critical infrastructures.
There was an air of tension at the summit, stemming from a Computerworld report that raised questions about the motivations and role of the various IT vendor associations that sponsored the event. Harris Miller, president of the Arlington, Virginia-based Information Technology Association of America, even made a point during a news conference to take issue with what he called "erroneous" comments made about the lobbying power of ITAA and other groups.
In an exclusive interview with Computerworld, Yoran acknowledged that questions about vendor influence are valid. But he flatly denied that the DHS is following the antiregulation views of the ITAA, the Business Software Alliance, and TechNet.
Yoran also acknowledged the lack of critical infrastructure operators and other end-user companies attending the summit. Only eight such companies were among the 334 registered attendees. But he said he and others from DHS would be meeting with those organizations in the coming weeks and months.
If there was one issue the DHS did not have a satisfactory answer for--at least as far as the reporters present were concerned--it was the issue of whether the reporting of cybersecurity incidents should be made mandatory.
At a news conference announcing a series of vendor-sponsored surveys and studies that were described as "tools" to help "measure the cybersecurity health of the nation," Liscouski likened the challenge to dealing with a public health incident. After a reporter noted that during a public health emergency doctors would be required to report incidents, Liscouski said: "We've got the tool sets and the processes in place. Reporting, however, is going to be voluntary."
And when asked by Computerworld whether the DHS would consider conducting real-world red team exercises for the private sector, Liscouski said the department is "constantly surveying for vulnerabilities."
"I don't think we need a separate process," he said.