There is the impression now among corporate IT security leaders that DHS specializes in holding meetings on IT security-related matters, but falls short on action, said Richard Cressey, president of Good Harbor Consulting and former chief of staff to the president's Critical Infrastructure Protection Board at the White House, during an interview after his opening keynote address at the Infosec World Conference & Expo 2005 in Florida.
During his speech, he noted that the government's biggest problem is understanding just what to do and how to do. Leadership upheaval in DHS and its Cyber Security division is only compounding this indecision. Because government decision-makers decided that IT security cannot overshadow physical security needs, a tension between industry and government has arisen. With little follow-up on the National Strategy to Secure Cyber Space, which is supposed to be a "living document," relations between the private and public sectors to improve critical infrastructure protections are floundering, he noted after the speech.
"There has been a leadership vacuum at the department that is going to continue for at leastthe next several months," said Cressey during the interview.
However, with the new Secretary of DHS Michael Chertoff, who was sworn in on February 15, stating during his first month in office that government and private industry must take a risk management approach, Cressey said he is optimistic that positive change will occur. Because Chertoff has been focusing on the need to understand vulnerabilities and their consequences,as well as the requirement to prioritize assetts and reduce risk, Cressey said cyber security issues may just start to get the weight they deserve.
Such focus is a requirement, given the "national security problem" of vulnerabilities. With every 1,000 lines of code having at least 10 vulnerabilities according to some data, companies are strapped with a "target-rich environment," Cressey explained. To help with this, government should quickly ensure the rapid dissemination of vulnerabilitity and threat information, among other intitiatives.
In the long-term, Cressey suggested that the government begin developing a workplan, metrics, milestones and accountability procedures around a list of top five cyber security priorities. Most importantly, officials should reignite public/private relationships by developing a national recovery/reconstitution plan that stresses the importance of getting interconnected critical infrastructure up and running quickly in the event of a massive failure. Additionally, they should approach ISPs to do a better job at filtering at the core and take improved steps to stop DDoS attacks. An opprotunity also lies in reaching the corporate world through talks about identity theft and phishing attacks -- cyber security issues that continue to be growing issues of concern for companies and private citizen alike, he said.
As reported in SC Magazine here DHS officials told delegates at the RSA Conference in February that progress was being made in cybersecurity but help was needed from industry.