New Cybersecurity Plans Unveiled
Two joint government and private-sector task forces unveil proposals to help make cyberspace more secure.
Two joint government and private-sector task forces, both part of the National Cyber Security Partnership, on Thursday unveiled their proposals to help make cyberspace more secure. The Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force were formed late last year to help assess the security of critical national infrastructure.
The National Cyber Security Partnership is led by the Business Software Alliance, the Information Technology Association of America, TechNet, the U.S. Chamber of Commerce, as well as public, private, and other cybersecurity experts. The partnership formed five task forces to tackle several issues, including security awareness, a cybersecurity early-warning system, corporate governance, and software development security.
The Awareness and Outreach Task Force, which is primarily focused on improving end-user security through public-awareness campaigns and making security tools more widely available, says it plans to roll out a national information-security ad campaign this fall. This summer, the task force will release a security kit that's designed to help educate home users and small-business owners, as well as kick-off a partnership with Internet service providers to help educate their customers about how to stay safe online.
Some criticized the plan, saying they'd rather see more effort placed on making computers more secure out of the box than focusing on awareness. "It's always a nice idea to educate people, but they're generally only going to be able to reach people who already understand security," says Alan Paller, director of research at the SANS Institute, a cooperative research and education organization. "All of this does is tell end users that they're stupid. These systems have to build this stuff [security] in."
Dan Caprio, chief of staff for Federal Trade Commission commissioner Orson Swindle, disagrees. "I'm in violent disagreement with Alan's characterization," he says. Caprio says the computer and software industry has come a long way in recent years and is shipping PCs that are more secure and include firewalls.
Caprio, who also is a co-chair on the awareness task force, points to the FTC's more than 2-year-old security-awareness initiative. Its Web site, which provides security information aimed at consumers, has garnered more than 500,000 hits to date and is linked to by more than 500 organizations, Caprio says. "It's reaching people and awareness is a critical part of security," he says.
The Cyber Security Early Warning Task Force says it plans to form an Early Warning Alert Network by year's end. The warning network would be geared toward the nation's critical infrastructure sectors.
Doug Pearson, manager of Digital Media Network Services at Indiana University and a member of the early-warning task force, says the early-warning network will be a closed group, unlike many of the early-warning systems already in place. "It will be a vetted, trusted community," he says. The network will bring together business executives as well as administrators and front-line business managers at various public and private organizations, he says.
It's not clear how the Early Warning Alert Network will work with the various alert systems already provided by information security vendors, CERT, or the many information-sharing and -analysis centers used by industries such as energy, telecommunications, and financial services.
"They've tried and talked about such information-sharing plans many times, but the fact of the matter is few companies trust handing security-incident information over to the federal government," says one chief information security officer at a financial-services firm, who wants to remain unnamed. "It's a laudable goal, but companies won't want to share information unless they can be guaranteed it won't end up public information."
Three more reports from other National Cyber Security Partnership task forces are expected to be released in coming weeks. A report on technical security standards is expected to be made public March 31. And a report on how to make corporate board members more culpable for their information security will be released April 6, as will a fifth report on how to improve software development.
About the Author
You May Also Like