A cybersecurity advocacy group has called on President George Bush to focus more resources on computer issues and to elevate the top IT security position at the U.S. Department of Homeland Security to the assistant secretary level.
The Cyber Security Industry Alliance called on the White House to institute or promote 12 of the group's recommendations, including Senate ratification of the Council of Europe's Convention on Cybercrime, and the assignment of a federal agency to track the costs of cyber attacks.
"Everyone's saying this is costing us billions of dollars a year," said Paul Kurtz, executive director of CSIA and one of the developers of the President's National Strategy to Secure Cyberspace. "But do we really have a firm handle on this ... and how do we know if we're doing better?"
Some of CSIA's recommendations were included in the Bush Administration's cybersecurity strategy, released in February 2003. The strategy calls for the U.S. government to encourage other nations to approve the Convention on Cybercrime, but it doesn't call on the U.S. Senate to ratify the convention.
"We kind of overlooked the fact that we needed to have the Senate ratify the convention itself," said Kurtz, former special assistant to the president and senior director for critical infrastructure protection on the White House's Homeland Security Council.
A White House spokesman didn't immediately return a phone call seeking comment on the CSIA recommendations.
CSIA also called on the U.S. government to increase research and development funding for cybersecurity, to form a task force to develop actions that will secure digital control systems used by utilities, and to establish and test an emergency coordination network that would function in the case of a large cyber attack. Such a network wouldn't have to be a "hundred billion dollar" project, but could start with efforts as simple as tabletop scenario response exercises, Kurtz said.
"Bottom line here is, we do not have established means, protocols, procedures in place if we have large-scale disruption on our Internet," Kurtz said. "What happens if the Internet drops out below us? We haven't really thought those issues through as a country."
Kurtz stopped short of saying the Bush administration is doing a bad job in protecting cybersecurity. After the September 11, 2001, terrorist attacks on the United States, it's not surprising that cybersecurity has been given a lower priority than some physical security issues, he said.
"I've been trying to keep all the focus forward-looking," he said. "What we're doing now is putting our hand up and saying, 'We rely on these information networks.' It's time that cybersecurity gets bigger play. I'm not trying to paint the White House in a corner. I'm trying to be constructive and point it down the road."
CSIA and other tech groups have pushed for an assistant secretary for cybersecurity position at DHS even before Amit Yoran, former director of cybersecurity at DHS, resigned in September, reportedly because of a lack of focus on cybersecurity at DHS. Yoran attended a CSIA press conference in Washington, D.C., where the organization unveiled its cybersecurity recommendations.
A CSIA position paper details the group's recommendations.
CSIA, formed in February, counts 14 IT vendors as its members. Members include Computer Associates International, Entrust, Juniper Networks, McAfee, and Symantec.