Experts assess government role in online security

[InfoSec News <isn () C4I ORG>]

http://www.govexec.com/dailyfed/0301/030701td.htm

By William New
National Journal's Technology Daily
March 7, 2001

Government and private-sector experts in Internet security on Tuesday
gave their assessments of how government should help guard against
inevitable cyber attacks from an array of likely foes.

John Tritak, director of the federal Critical Infrastructure Assurance
Office (CIAO), said government must take a lead in the ensuring that
the nation's critical infrastructure is secure, especially because
government systems typically are operated by private-sector entities.

Tritak called for leadership "from the White House down," in a
coordinated approach, communicating a clear message. Currently, he
said, the system of government still reflects its origins in the era
before the information age.

Yet Tritak also called on industry to take a lead on security issues
from an economic or risk-management standpoint, keeping government on
the sidelines to provide oversight and step in where the market fails
to accomplish the goal.

He also said there is a need globally to close safeguards for cyber
criminals, and said it is time to move from raising awareness about
cyber security to building consensus on how to address the risks.
Tritak said a Bush administration review of the CIAO is underway and
that a new plan for addressing security is expected by late summer or
fall. He would not provide details.

Utah Republican Bob Bennett, the former chairman of the Senate
Republican High-Tech Task Force, said the biggest security problem is
that businesses do not know when they are at risk. He called for the
creation of a government office like the one created to address the
threat of the year 2000 computer bug.

Bennett also said bringing the level of a computer security risk to
the attention of a company CEO is more effective than leaving it to a
chief information officer because addressing the threat is a
management/leadership problem.

Taher Elgamal, president and CEO of Securify, said responsibility for
solving security issues is "not business. It's not government. It's
community." His suggestion was to assign responsibilities within the
community, "which has not happened yet."

He noted that the Internet is still insecure because it was built to
share information, not for business use. The way to address that is to
strengthen the existing infrastructure because it cannot be replaced.
But doing so is difficult, Elgamal said, because "people believe they
can solve everything with a technology solution. That's a complete
misconception."

Elgamal echoed Bennett's suggestion for a system of feedback to inform
companies how cyber-security operations are functioning so that they
will be notified when the operations are not working properly.

Bennett said striking the balance between privacy and security is
difficult because the Internet was designed for information sharing
for everyone connected. "There is no silver bullet," he said. "If you
get absolute privacy, you're never going to order anything on the
Internet [nor] look at anything on the Internet again."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".