Homeland Security seeks corporate cybersecurity alliance
NEW YORK -- The federal government is bolstering its efforts to improve cybersecurity, but it still could use help from the private sector to get the work done, a Homeland Security Department official said Monday.
"The threats we are facing are trickier than they have ever been before," Amit Yoran, director of the department's cybersecurity division, said here in a keynote speech that opened the Information Security Decisions conference. "And they will be until we change the fundamental paradigms about cybersecurity."
Describing the soldiers at the front lines of the battle as the "folks to your right and left, sitting behind the desks," Yoran urged chief security officers (CSOs) everywhere -- from investment banks to power plants -- to integrate their risk-management approaches with the government's.
Yoran's group, for instance, has started testing new tech products in conjunction with the research community. It also has begun limited investments in software development.
Just 19 programming flaws account for 95 percent of all network vulnerabilities, Yoran said. If the public and private sectors work together and share common tools, those flaws could be identified before hackers, disgruntled employees or especially terrorists exploit them, he said. Better yet, software could be upgraded with the knowledge for self-repair.
Laden with specifics, Yoran's half-hour talk updated the audience on his division's work the past year. Two of the more significant accomplishments, he said, are the National Cyber Alert System, an easy-to-use warning siren for system administrators across industries, and Live Wire, which allows government agencies like the Education and Justice departments to "war game."
"Yet we need to be realistic," Yoran said, because securing computer systems will take time. He said attacks are likely before all agencies are adequately safeguarded.
Asked whether stricter laws are the solution to protect businesses, Yoran, a former vice president of the Symantec security firm, was fairly noncommittal. The department will keep legislation "in the quiver of tools available to us," he said.
Yoran added that a better way might be to offer incentive programs to private enterprises to make sure they upgrade network security continually. Until then, Yoran said he will attend conferences to encourage the new foot soldiers in the next stage of the war to be alert.
He encouraged CSOs to do the same with their staffs. "It may not be the most fun part of the job," Yoran said. "But it is fundamentally important."