In an election season dominated by concerns over the economyand the war in Iraq, cybersecurity hasn't exactly been a top issue for the candidates or voters.
But it's a topic the next administration will need to focus on -- and as a high priority, according to several tech industry representatives, including two former officials at the U.S. Department of Homeland Security (DHS) and a former White House cybersecurity czar.
Driving that urgency: the growing danger of cyberattacks against critical networks and systems that run the financial services and energy sectors, as well as those used by the government and the military. Those attacks could come from opportunistic nation-states as well as from criminal adversaries, they said.
"There is not a doubt in my mind that the time for action, and dramatic action, is now," said Amit Yoran, former director of the National Cyber Security Division (NCSD) of the DHS and now CEO of NetWitness Corp. "Without a comprehensive national cybersecurity initiative, things are going to end up in a very bad way."
Among the areas needing immediate attention, according to Yoran and others are a greater focus on public/private sector collaboration; more transparency around an unfolding multi-billion cyber-security initiativeannounced earlier this year by President Bush; greater security R&D investments; and more direct involvement by the White House.
The task of protecting critical infrastructure targets against attacks was spelled out earlier this year by DHS Secretary Michael Chertoff as an issue with national security implications. It's a topic that has been the focus of attention since the terrorist attacks of Sept. 11, 2001 and has resulted in enormous investments to -- and changes in -- the nation's cyberdefenses.
The biggest of these was the decision to tap the DHS to lead the nation's cybersecurity efforts and the launching of the mostly-classified Comprehensive National Cybersecurity Initiative by President Bush in January. How successful those efforts have been remains in doubt; Chertoff himself admitted that five years after the DHS was created the nation remained dangerously vulnerable to electronic attacks from those looking to wreak the same kind of havoc on networks as the 9/11 attacks did in New York and Washington, D.C.
As a result, it is critical for the next administration "to continue the efforts that this government has already started," said Ken Silva, chief technology officer at Verisign Inc. "This is one of the few times that we are here, this close to an election, when we know the current administration is going to change, and yet none of the cyber initiatives have been scaled back" or dropped Silva said.
One area most in need of immediate attention is private and public sector collaboration. By most accounts, the private sector owns and operates between 85% and 90% of the critical infrastructure that needs protection, and there should be a way to ensure that the it has a more active role in protecting that infrastructure, said Andy Purdy, co-director of the International Cyber Center at George Mason University and former White House cyber czar.
Most public/private partnerships today are little more than vulnerability-information sharing exercises that have done little to bolster security. But it is vital that the private sector and the government work as equal partners to build better situation awareness and recovery capabilities, Purdy said. "We need to try and encourage the government to make the private sector a true partner in the assessment and mitigation of risk. The dependence and inter-dependence of government and private sector companies" makes better collaboration a must.
An effort needs to be made to encourage "talent from the industry" to act on cyber-risk assessment and mitigation efforts, said Jerry Dixon, former director of the NCSD and vice president of government relations with the InfraGard National Members Alliance.
In the past, when the government shared information about infrastructure vulnerabilities with the private sector, not everyone has taken advantage of it, Dixon said. He pointed to a dangerous vulnerability in the nation's power infrastructure that was discovered by the Energy Department's Idaho National Laboratories. Despite efforts to correct problems by the governmen, only the nuclear sector applied the fix. The response from the rest of energy sector was "abysmal," he said.
The next president would do well to make Bush's cyber-initiative more transparent, Yoran said.