Cyber Eye: Time to get serious, Marcus Sachs says
- By William Jackson
- Aug 21, 2003
'The media needs to get the message out,' Marcus H. Sachs told attendees at last month's Black Hat Briefings in Las Vegas. 'There is a lot of hyperbole out there' about breaches but little real improvement in cybersecurity, he said.
Sachs, director of the National Cybersecurity Division in the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate, spoke at the annual security conference that brings hackers together with industry and government types.
So I asked Sachs, the government's point man on cybersecurity, what message did he want to get out?
'Be serious about security,' he said. 'Become personally involved.' Systems administrators must be passionate about their work, not just good at their jobs, he said.
The Defense Department's 1997 Eligible Receiver exercise showed how vulnerable DOD networks were, Sachs said, but not until the Solar Sunrise attacks against Air Force systems in 1998 was the topic taken seriously.
Next came the attacks of Sept. 11, 2001. 'How was it we missed all the physical vulnerabilities while we were focused on cyber?' Sachs asked.
DHS now splits its attention between the physical infrastructure and the cyber infostructure.
The department has been criticized, most notably by Sachs' former boss Richard Clarke, for slighting the cyber side.
'We in cybersecurity are doing just what we should be doing,' Sachs countered. But developing security technology and knowing how to apply it are two different things. Implementing security is more of a social issue than a regulatory or legislative one, he said: 'Passing laws that mandate security generally doesn't work.'
'Security is a hard thing to sell,' Sachs said. 'Most federal systems administrators are damn good and overworked,' largely self-educated and responsible for covering many bases in the daily job. The attention they devote to patching software and tracking configurations often depends on personal commitment.
'It's got to be a passion,' Sachs said. 'Take it seriously.'
OK, his message is out.
How are you going about the job? Where have you found help? You can reach me at
William Jackson is a senior writer of GCN and the author of the CyberEye blog.