FRAMINGHAM (03/18/2004) - The National Cyber Security Partnership, a coalition of influential IT industry lobbying groups and companies, Thursday released two of the five action plans it promised to deliver this month to the U.S. Department of Homeland Security (DHS) for improving the nation's cybersecurity.
The plans released so far cover the development of a nationwide early-warning capability and cybersecurity awareness for small businesses and home users. The other three plans, covering corporate governance, technical standards, and secure software development and maintenance, are scheduled to be released in early April.
The release of the action plans follows a commitment from the private sector to the DHS on Dec. 3 at the National Cyber Security Summit in Palo Alto, Calif. The private sector hopes to take an active role in helping the DHS achieve the cybersecurity goals outlined in the Bush administration's National Strategy to Secure Cyber Space.
Harris N. Miller, president of the Arlington, Va.-based Information Technology Association of America (ITAA), said that the three task forces that have not yet completed their work are "very close" to finishing final plans and that the delay won't hurt the overall process. "We still should be able to get plenty of feedback by June, which is our deadline for the next iteration of reports," said Miller.
Nearly all of the private-sector executives who briefed reporters on the plans struck a cautious note about the intent of the effort and any near-term results. Despite continuing pressure on the IT sector by the DHS to improve cybersecurity, all of the executives characterized the work as a voluntary public service program -- not as an advisory effort for the DHS.
"We are not a one-stop solution to everything we deal with when it comes to cybersecurity," said Howard Schmidt, chief information security officer at eBay Inc. and the co-chair of the Awareness Task Force. "This is a voluntary effort."
By the end of the year, the group plans to establish an Early Warning Alert Network (EWAN) for executives throughout the nation's various critical-infrastructure sectors, said Greg Garcia, an ITAA executive who served as secretary of the Early Warning Task Force.
Doug Pearson, manager of Digital Media Network Services at Indiana University and an Early Warning Task Force member, said EWAN will be a trusted network of networks that will link government and private-sector organizations at various horizontal levels, from systems administrators to operations managers and C-level executives. The network will provide individual channels for access to situation reports, alerts, analysis and crisis conference coordination, he said.
The Early Warning Task Force also called on the federal government to develop a National Crisis Coordination Center by 2006. The center would coordinate analysis, warning, response, training, and research and development among critical-infrastructure sector experts as well as representatives from federal, state and local government, Garcia said.
Andrew Howell, vice president of homeland security at the U.S. Chamber of Commerce, said the Awareness Task Force has produced a small-business guide book of practical tips for security. It also called on large enterprises to conduct a series of CEO forums with the DHS to raise awareness among senior executives. Likewise, a Web-based training tool will be available in May to state and local officials.
Ty Sagalow, deputy chief underwriting officer and vice president at American International Group, said his company has started offering premium credits for cyber insurance to companies that "execute" the recommendations outlined in a "Common Sense Guide," which is available for free through the partnership's Web site.
"We are now reaching out to other members of the insurance industry," he said. "For awareness to be effective, it has to result in action, and in order for there to be action, there has to be incentive."
Dan Caprio, chief of staff at the U.S. Federal Trade Commission, led the home-user awareness effort. He said that task force will begin working with Internet service providers this fall on a major campaign to educate home users about cybersecurity. Part of that effort will include awareness tool kits, including mousepads with security tips printed on them that will ship this summer, he said.
Alan Paller, director of research at the Bethesda, Md.-based SANS Institute, criticized the task forces, saying they once again shift the burden from IT vendors to end users.
This announcement "is the equivalent of national leaders telling every driver to wear football pads and helmets and tie themselves to the seat backs because the automobile manufacturers won't build in seat belts and air bags and better bumpers," said Paller. "The dire situation is caused almost entirely by software vendors who have completely failed to meet their responsibilities to the nation and to their customers.
"In essence, the vendors are promoting a 'blame-the-user' strategy because they cannot or will not build comprehensive security solutions that protect their clients."