Industry gives Bush cybersecurity to-do list
Connecting state and local government leaders
An IT industry association makes recommendations it says the president should undertake in his second term to improve the nation's cybersecurity.
An IT industry association has offered a list of recommendations it says President Bush should undertake in his second term to improve the nation's cybersecurity.
The 12 items released by the Cyber Security Industry Alliance include creating an assistant secretary for cybersecurity in the Homeland Security Department, establishing an emergency coordination network, and expanding funding for basic research and standards development.
CSIA is a CEO-led public policy and advocacy group established in February. The recommendations are intended to raise the profile of cybersecurity, promote information sharing and threat analysis, and boost research and education, the group said.
'We have moved beyond the discussion and planning phase and have identified concrete actions that can be taken by the administration to immediately improve the security of our nation's cybersystems,' said CSIA executive director Paul Kurtz, a former presidential adviser.
The alliance called for the government to:
- Create an assistant secretary for cybersecurity at DHS, making it separate from but equal to an equivalent position for physical security.
- Ratify the Council of Europe's Convention on Cybercrime. The United States signed this international treaty in November 2001 and it was presented to the Senate two years later.
- Promote information security governance in the private sector by elevating awareness of the issues at the corporate board level. This would include education on implications of the Health Care Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act of 1999 and the Sarbanes-Oxley Act of 2002.
- Lead by example in procurements by requiring contractors and suppliers to meet federal requirements in their own systems.
- Close the strategic gap between government and private-sector information security efforts by gathering more information on threats to private systems and by making information gathered through classified channels more available.
- Strengthen the information sharing and analysis Centers, through which industry and government exchange threat data, by increasing federal funding and setting common operational processes.
- Establish and test a survivable emergency coordination network, separate from the proposed Homeland Security Information Network. The new network would facilitate reconstitution of the Internet in the event of a large-scale attack.
- Direct an agency to track costs associated with cybercrime, which are not now accurately known.
- Increase R&D funding for cybersecurity by directing DHS to spend a larger portion of its $1 billion R&D budget on it and boosting the budget for the National Science Foundation.
- Fully fund responsibilities of the National Institute of Standards and Technology. The Federal Information Security Management Act requires NIST's Computer Security Division to develop standards for federal IT security, but the 2005 budget would fund only a fraction of the authorized appropriations for this work.
- Strengthen the Common Criteria certification process by reducing the time and cost of the process and addressing private-sector as well as government needs.
- Secure supervisory control and data access systems, which run much of the nation's critical infrastructure.
NEXT STORY: Insecure credentials worry states, feds