Companies and the US government need to work together to fix the problems in their computer networks, said the US's cybersecurity czar at the RSA Conference.
Within the next 10 years, most of the world's communication needs will probably be handled by the Internet, said Gregory Garcia, the assistant secretary for cybersecurity and telecommunications at the US Department of Homeland Security (DHS). "This proliferation of applications and devices within the converged network is going to create a breeding ground for security problems," he said. "Our networks and our systems are vulnerable and they are exposed."
Garcia outlined two priorities for the year ahead. First, his office is working with federal agencies to adopt common security policies and practices. Second, he plans to work with the private sector to push forward a process called the National Infrastructure Protection Plan. This effort is intended to evaluate computer security risks on an industry-by-industry basis and outline the steps that need to be taken to address them.
The broad strokes of this plan were outlined last June, and the DHS is now working with industry to flesh out sector-specific plans, Garcia said.
He made it clear that the DHS expects US companies to participate. "There are a lot of plans in Washington. This one is going to stick," he said. "The private sector owns and operates 90 percent of the critical infrastructure, and it's up to you all, not just the DHS, to secure this infrastructure."
Companies looking for best practices already have a number of standards they can consider, Garcia said, pointing to the International Organization for Standardization (ISO) 17799 specification and the guidelines prescribed by Technet, an IT industry association.
Computer security has not been a top priority at the DHS, which has paid far more attention to physical security threats to the nation since its inception in 2003. And though DHS Secretary Michael Chertoff tried to put a sharper focus on computer security by creating Garcia's high-level post in 2005, the position remained vacant for more than a year.
Art Coviello, president of EMC's RSA group, said he was encouraged by the assistant secretary's speech.
"It's a combination of carrot and stick," he said. "Chiding industry to actually comply with these standards that are out there, and a veiled threat of regulation to get things done."
Coviello said that cybersecurity had "languished a bit" within DHS. "The Department and Secretary [Tom] Ridge and Secretary Chertoff obviously focused on the right things - physical threats - but now it's time to get after the critical infrastructure from the cyber side," he added.
"I don't think industry is looking for a lot of regulation from government," he added. "What they are looking for is leadership."
Original story by IDG news service