Report finds progress in cybersecurity in private sector

[InfoSec News <isn () C4I ORG>]

Forwarded by: Anonymous

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54703,00.html

By DAN VERTON AND MATT HAMBLEN
December 04, 2000

Representatives from more than a dozen critical infrastructure sectors
of the economy, including telecommunications, transportation and
electric power, this week plan to deliver to the White House a status
report on the private sector's progress in beefing up cybersecurity.

Their findings: Many companies have made significant progress during
the past year to protect their infrastructures from attack, but others
still face an uphill battle.

The closely guarded report, produced by members of the National
Partnership for Critical Infrastructure Security, will be used as a
basis for the next version of the Clinton administration's plan
outlining how the government and private firms must work together to
bolster cybersecurity. The NPCIS is a joint effort between federal
agencies and the private sector.

Officials said the banking and energy industries remain ahead of many
other sectors in security preparedness. Other sectors, including
telecommunications, transportation and waterways, face difficult
challenges stemming from a vast array of factors such as deregulation
and market fluctuations.

Ken Watson, co-chairman of the coordinating committee of the NPCIS
acknowledged that progress hasn't proceeded at the same pace in all
sectors.

"I have talked personally to the sector coordinators, and they are all
working feverishly at this," said Watson, who's also manager of
critical-infrastructure protection at Cisco Systems Inc. in San Jose.
"There are some sectors that are ahead of others. However, we accept
the challenge that the government has given us to protect the networks
that run our infrastructure."

One indicator of progress is the pending announcement of an
Information Sharing and Analysis Center (ISAC) for the IT community,
similar to the ISAC that already exists for the financial services
sector. The ISAC offers a secure database, analytic tools and other
software that allow officials to submit reports about information
security threats, vulnerabilities, incidents and solutions.

Addressing obstacles

Tim Atkins, a member of an NPCIS working group, said the IT sector has
been moving very aggressively. Any perceived slowness is due to a
genuine desire by industry to protect proprietary and sensitive
information on behalf of their companies, their shareholders and their
clients, said Atkins, who is director of critical infrastructure
protection at consulting firm SRA International Inc. in Fairfax, Va.

Thomas R. Horton, chairman of the National Association of Corporate
Directors and a participant in several recent critical-infrastructure
protection summit meetings, said corporate concerns regarding
shareholder value and increased competition may be getting in the way
of security progress at some banks, airlines and telecommunications
companies.

Despite the banking industry's perceived success in the area of
security, a recent spate of money laundering schemes in the banking
industry, including a $1.4 billion scam against Citigroup Inc. and
Commercial Bank of San Francisco that lasted nine years, raises
serious questions about the status of security in the industry, said
Horton.

Likewise, the airline and telecommunications sectors have come "under
siege" as a result of deregulation and the current climate of mergers
and acquisitions, said Horton. A senior White House official said
years of a "systematic underinvestment in [electric power] grid
capacity," combined with the effects of wholesale deregulation, has
created a "potentially perilous [security] situation."

But two CIOs from the natural gas and electric industries said that
security protections against cyberattacks in their industries are
being addressed constantly, although the national effort lacks a
useful gauge for how much security is enough.

"If you don't have any attacks, it's easy to let the program slip,"
said Jon Arnold, CIO at the Edison Electric Institute in Washington, a
trade association that represents 100 investor-owned electric
utilities.

What's it all for?

Gary Gardner, CIO at the American Gas Association in Washington, said
he sometimes wonders what the industry gets in return for its
cooperation with the government. "To some extent, I don't know what
sharing all this information achieves for us, which is what the oil
industry has said as well," said Gardner, adding that FBI warnings on
the "I Love You" virus didn't arrive until two hours after it hit his
company's offices.

Bruce Freeman, CIO at Burlington Northern Santa Fe Corp. (BNSF) in
Fort Worth, Texas, said his company became concerned about
infrastructure security four years ago, partly because a security
consultant was able to persuade 97 out of 100 BNSF employees to
divulge their system passwords and user IDs.

Freeman said the railroad immediately entered into an aggressive
training campaign to educate employees to be more secure. He said the
company also beefed up its infrastructure security.

Gene Gorzelnik, a spokesman for the North American Electric
Reliability Council (NERC) in Princeton, N.J., said all the sectors
are making progress, but admittedly at different speeds. "You can't
build something from nothing overnight," he said.

The NERC is presenting written recommendations for the Clinton plan.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".