U.S. improving its cybersecurity posture
Connecting state and local government leaders
Signs indicate that the cooperation needed to tackle the job is emerging in government and industry, experts say.
SAN FRANCISCO ' The challenge of developing and executing a comprehensive national cybersecurity strategy might be too great to ever be fully achieved, but there are signs that the cooperation needed to tackle the job is emerging in government and industry, a panel of experts said today at the RSA Security conference.
Repeated breaches of U.S. computer systems, possibly by foreign governments, have been a 'huge wakeup call,' said Rep. Jim Langevin (D-R.I.), chairman of the Homeland Security Committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee.
Langevin has overseen a number of high-profile hearings on cybersecurity and earned kudos from experts for his nonpartisan efforts to make improvements in that area. He was presented with RSA's award for excellence in the field of public policy today and was widely praised for his efforts by speakers in and out of government.
One of the primary government efforts to improve cybersecurity is a recently announced presidential initiative, many of the details of which are still not known.
'We're still learning about it, and much of it is classified,' said Langevin, who also serves on the Permanent Select Committee on Intelligence.
However, Alan Paller, director of research at the SANS Institute, cited several instances in which the government is pulling ahead in cybersecurity.
'It has taken a while,' he said, but positive signs of the government leading by example are beginning to emerge.
The Federal Desktop Core Configuration initiative, for instance, will reverberate throughout the IT industry, Paller said. When the Air Force adopted a common configuration, it was able to reduce the average time for installing a security patch from 57 days to 72 hours, and it has a goal of 24 hours. Agencies governmentwide have adopted the configuration as a standard for Microsoft operating systems, and they now require vendors to certify that applications will work and play well with the FDCC.
Such requirements are likely to mean that secure configurations and compatible software will make their way into the commercial market as well, Paller said.
Greg Garcia, assistant secretary for cybersecurity and communications at the Homeland Security Department, said collaboration within government and between government and the private sector is necessary for adequate security.
However, he found fault with the overlapping oversight of DHS by congressional committees. Lawmakers have been highly critical of the department, he said, some of which is deserved, but 'quite often that criticism is not fair.' He said he hopes for a more constructive oversight environment that would allow the department to play a more constructive role in helping government and industry secure their portions of the nation's critical infrastructure.
But committees' efforts to protect their oversight turf do not appear to be slowing. Industry leaders have called for passage of a national data breach notification act to replace the current patchwork of 40-plus state laws and for passage of a cyber crime bill to beef up federal laws against online crime and abuse. But the House Judiciary Committee has linked the two issues, and the resulting bill is unlikely to be passed this year because of multiple committees claiming jurisdiction over the breach notification issue, conference panelists said.
Many would like to see the issues separated so the cyber crime bill would have a chance at passage this year, even if a notification bill dies. But members of the Judiciary Committee have said they want to deal with both issues at once, Langevin said. If they do not relent, such legislation stands little chance of passing in this election year, he added.