Experts assess government role in online security
Government and private-sector experts in Internet security on Tuesday gave their assessments of how government should help guard against inevitable cyber attacks from an array of likely foes.
John Tritak, director of the federal Critical Infrastructure Assurance Office (CIAO), said government must take a lead in the ensuring that the nation's critical infrastructure is secure, especially because government systems typically are operated by private-sector entities.
Tritak called for leadership "from the White House down," in a coordinated approach, communicating a clear message. Currently, he said, the system of government still reflects its origins in the era before the information age.
Yet Tritak also called on industry to take a lead on security issues from an economic or risk-management standpoint, keeping government on the sidelines to provide oversight and step in where the market fails to accomplish the goal.
He also said there is a need globally to close safeguards for cyber criminals, and said it is time to move from raising awareness about cyber security to building consensus on how to address the risks. Tritak said a Bush administration review of the CIAO is underway and that a new plan for addressing security is expected by late summer or fall. He would not provide details.
Utah Republican Bob Bennett, the former chairman of the Senate Republican High-Tech Task Force, said the biggest security problem is that businesses do not know when they are at risk. He called for the creation of a government office like the one created to address the threat of the year 2000 computer bug.
Bennett also said bringing the level of a computer security risk to the attention of a company CEO is more effective than leaving it to a chief information officer because addressing the threat is a management/leadership problem.
Taher Elgamal, president and CEO of Securify, said responsibility for solving security issues is "not business. It's not government. It's community." His suggestion was to assign responsibilities within the community, "which has not happened yet."
He noted that the Internet is still insecure because it was built to share information, not for business use. The way to address that is to strengthen the existing infrastructure because it cannot be replaced. But doing so is difficult, Elgamal said, because "people believe they can solve everything with a technology solution. That's a complete misconception."
Elgamal echoed Bennett's suggestion for a system of feedback to inform companies how cyber-security operations are functioning so that they will be notified when the operations are not working properly.
Bennett said striking the balance between privacy and security is difficult because the Internet was designed for information sharing for everyone connected. "There is no silver bullet," he said. "If you get absolute privacy, you're never going to order anything on the Internet [nor] look at anything on the Internet again."