FRAMINGHAM (10/20/2003) - With its new Cyber Warning and Information Network, the U.S. Department of Homeland Security (DHS) finally may have hit on the right model to ensure that the private sector shares cyberattack information with the fedsby getting information from security providers instead of the victims.
First proposed in 2001 by former cybersecurity czar Richard Clarke, the program provides an information collection and dissemination network for government agencies and private-sector information security companies that clean up after cyberattacks. When a security breach occurs, network members have agreed to report the details to the network (run by DHS), which in turn would alert via e-mail and a telephone hotline others that may be at risk. It all comes at a good time because attacks are on the rise. According to one network member, vendor Internet Security Systems, the number of serious security threats will more than double this year compared with last.
As outlined by the Bush administration, the network differs from previous initiatives in that it doesn't depend on victims to notify the government of an attack. As such, says Alan Paller, research director with the SANS Institute, it avoids a major shortcoming of earlier efforts at cooperation that relied on companies to volunteer information. Officials, instead, obtain information about security breaches from the security service providers most large companies have on contract. As a model, think of the Centers for Disease Control and Prevention, which collects health information from doctors, rather than patients. The network is already live, says DHS spokesman David Ray, and was used to exchange information during the Northeast blackouts in August.
Right now, says Peter Allor, manager of X-Force Threat Intelligence Services with Internet Security Systems, the government is choosing which vendors get to joina factor, he says, of the high cost for DHS to connect new members to a private network that is not connected to the Internet. Unfortunately, because end user companies don't participate in the service directly, CIOs (chief information officers) will be able to benefit from it only if their security providers are membersfor now leaving CIOs whose providers are not part of the system out in the cold when a serious attack occurs. Meanwhile, CIOs who have contracts with an approved network member need to make sure that their contracts include language that allows the contractor to report any security breaches that occur.
Congressman Wants Companies to Report Cyberdefense Steps
Amid the fallout from summer battles against the Sobig and Blaster worms, one influential member of Congress is considering whether to force companies to publicize their readiness to combat future cyberattacks.
Representative Adam Putnam, a Florida Republican and head of the U.S. House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, wants companies to fill out a cybersecurity checklist in their filings with the Secruties and Exchange Commission. Though the feeling on Capitol Hill is that companies aren't doing enough to secure their piece of the Internet, Putnam is the first legislator to endorse a reporting requirement.
After a subcommittee hearing last month, Putnam said his approach would force executives of publicly traded companies to pay attention to cybersecurity. "It is the least blunt instrument and the least regulatory approach," Putnam said.
Because he hadn't introduced any legislation as of mid-September, it's unlikely such a bill would pass this year, but some cybersecurity experts predict any more Internet attacks would put pressure on Congress to take action sooner.
Bob Dix, the subcommittee's staff director, says a cybersecurity reporting requirement styled after the financial reporting rules in the Sarbanes-Oxley Act would raise awareness among top-level executives. Disclosures could take the form of a checklist, asking such questions as, Do you have an up-to-date IT assets list? Companies that have several unchecked items may cause concern among stockholders, board members or customers, and be forced by the marketplace to deal with cybersecurity, say the concept's supporters.