Exactly which information should private-sector companies share with government agencies? "Managers on the ground see security attacks all the time," Howard Schmidt, former White House cybersecurity adviser, said Wednesday at InfoSecurity. Schmidt, currently president and CEO of R & H Security Consulting LLC, added, "What makes you get your VP out of bed at 2 a.m. in the morning? Is this what you should be alerting the government about?"
Former Homeland Security Secretary and Pennsylvania Governor Tom Ridge acknowledged the stigma associated with sharing information--whether corporate or personal--with the government, but he noted that this process has to get underway to improve security. "If a bookstore sends us a coupon for a type of book they know we like, it's seen as a good thing," he said during his keynote Wednesday. "But if your local library, which is an extension of the government, sends you a personalized list of suggested reading material based on the books you've checked out in the past, people are likely to be less comfortable."
I'd never really thought about the library as a quasi-governmental agency, but OK, I see what he's saying. Just when you think it all comes down to how much individuals, and consequently businesses, trust the government, you realize that government doesn't even trust government.
During a morning session at InfoSecurity, I listened to Will Pelgrin, director of the New York State office of cybersecurity and critical infrastructure, talk about the challenges he faced trying to create his office shortly after 9/11. Pelgrin was very clear that there was some resistance among state agencies to share information that could be used to improve cybersecurity. During one meeting shortly after the cybersecurity and critical infrastructure office was established, New York Gov. George Pataki told agency leaders in the room to share information with Pelgrin and his team. "As soon as he left the room, they said, 'We're not sharing anything with you,'" Pelgrin said. Excuse me?
To his credit, Pelgrin noted that he's been able to win over his colleagues over time. They continue to meet with his office and listen to his concerns and recommendations. Progress indeed, but is this happening quickly enough?
Ridge joked early during his keynote that he's been through secondary screening at airports more than 20 times since 9/11. "I'm hoping that the country will move in the direction of pre-screening technology, but until then, thank your screeners; they're just doing their jobs." It's bit disturbing that someone as recognizable as Tom Ridge would have such difficulty making his way through an airport. Still, I think it's more important to note Ridge's belief that technology will play a key factor in helping improve both national and cyber security.
Networks and computers have become a key component of the U.S. critical infrastructure, Ridge went on to say, adding, "The ubiquity of the Internet drives everything in this country."
Still, cybersecurity on a national level continues to evolve at a slow pace. "Prior to 9/11, cyber security was not on anyone's to-do list," New York's Pelgrin said Wednesday morning. It became clear, however, after the attacks the lengths to which terrorists would go to harm U.S. citizens as well as American financial and military centers. Security professionals feared that the cyber infrastructure might also be high on the list of terrorist targets.
In July, Ridge's successor, Homeland Security Secretary Michael Chertoff, laid out a reorganization plan for the department that included a new assistant secretary for cyber security and telecommunications. Months later the position is still unfilled.
I spoke with Ridge after his keynote about what it would take to move national and cyber-security as well as public-private data sharing in the right direction. He told me that technology was not the problem, that he has no doubt the private sector can make technology that could improve the security of data sharing and cyber space in general. The problem continues to be defining how that technology will be used and getting people to trust the government. "We have to become acclimated to the notion that certain information can be shared without stepping on privacy," he told me.
Ridge is very good about staying "on message." Even the following comment from the audience during the Q&A session following his keynote didn't rattle him: "If the terrorists want to hurt this country, they can just ship free heroine and cocaine here." (This comment was followed by a more serious question from the same individual about how government and the shipping industry plan to improve port security).
This may be a bit off topic, but I wanted to share it with you. Despite pessimism over the war in Iraq and frustration over efforts to secure borders and ports and share critical infrastructure data, Ridge sounded a positive note when placing America's current challenge in historical context. "The Cold War was an even more dangerous situation, and the consequences [nuclear war] were more horrific than a terrorist attack," he said. "We'll become a stronger, better, safer country." I'm not a fan of spin, particularly when it relates to my safety, but something in me wants to believe him.