InfoSec News: Experts struggle with cybersecurity agenda: http://www.gcn.com/online/vol1_no1/46189-1.html

By William Jackson
GCN Staff
04/28/08

Whoever becomes our next president will inherit a cyber infrastructure
under almost constant attack and at greater risk than eight years ago,
and a handful of experts and legislators have come together to ensure
that cybersecurity has a high priority in his or her administration.

The Commission on Cyber Security for the 44th Presidency, set up in
November by the Center for Strategic and International Studies, held the
second of five planned public meetings Monday to hear recommendations on
issues of information security, identity theft and government
leadership.

Cybersecurity is not a technical issue, panelists said, but a matter of
culture, education and self-interest. Government cannot regulate
information technology security, and industry cannot do the job by
itself. Forging the public/private partnership needed to provide
adequate security will require leadership in both government and
industry. Cooperation between the two spheres may not be easy to come
by, said John Koskinen, who spearheaded the government response to the
Year 2000 Transition.

"The private sector is always nervous about what the government is up
to," Koskinen said. Business deals with security in terms of business
cases and managing acceptable risk, while government tends to deal in
regulatory absolutism. And information sharing is always a challenge.
The advice of corporate general counsels is generally "Don.t tell
anybody anything."

But the Y2K transition showed that effective cooperation is possible if
government acts as a catalyst to establish priorities and bring
different sides together, he said.

The nonpartisan think tank established the commission "to develop
recommendations for a comprehensive strategy to improve cybersecurity in
federal systems and in critical infrastructure." Its goal is to have a
package of recommendations ready for the next president by November.
Cybersecurity will be vying with numerous other domestic and
international, economic, security and political issues for the
presidential transition team's attention. Establishing it as a high
priority will require putting it on the legislative and policy agenda
from the beginning of the administration, organizers say.

Co-chairmen of the group are the former director of the U.S. National
Security Agency, Lt. Gen. Harry Radeuge; Scott Charney, vice president
of trustworthy computing at Microsoft; Rep. Jim Langevin (D-R.I.),
chairman of the Homeland Security Subcommittee on Emerging Threats,
Cyber Security and Science and Technology; and ranking Republican Rep.
Michael McCaul of Texas. Members of the commission include Amit Yoran,
formerly top cybersecurity official at the Homeland Security Department;
Orson Swindle, formerly of the Federal Trade Commission; and Marty
Stansell-Gamm, former head of the Department of Justice.s computer
crimes division; in addition to a number of industry executives.

There was not complete agreement among panelists on cybersecurity
priorities. They agreed that a single national data breach notification
law is needed to replace the current patchwork of 40-plus state laws.
Although Lisa Sotto, a partner at the law firm Hunton and Williams,
called for federal preemption of state laws, David Mortman, chief
information security officer-in-residence at Echelon One, wanted federal
law to set a baseline for breach notification without precluding stiffer
state requirements.

Julie Ferguson, vice president of emerging technology at Debix, called
for a zero-tolerance policy for identity theft enforced by required
verification of online transactions with consumers. Jay Foley, founder
of the Identity Theft Resource Center, called for creation of a national
death registry and for the Social Security Administration to create a
database tying Social Security numbers with dates of birth to help
prevent misuse of the numbers even though efforts are being made to stop
their use as a unique personal identifier.

Pamela Fusco, executive vice president of security solutions at Fishnet
Security, said she wanted to establish an International Data
Classification Standard that could help identify and assess value and
risk to data. This would improve business practices and help put teeth
in government regulation, she said.

"Information is not being identified as essential," Fusco said. "We're
protecting machines, we.re protecting access," we have not developed
standard ways to classify and prioritize the information that underlies
them.