Securing critical infrastructure needs holistic approach, panel says
- By William Jackson
- Jun 19, 2009
Securing the nation’s and the world’s increasingly critical, connected and diverse information infrastructure requires a holistic view of cybersecurity, rather than a focus on specific technologies, threats and delivery vectors, according to a panel of government security officials.
“Security is all about mission” and not about networks or specific assets, said Phillip Reitinger, deputy undersecretary of the Homeland Security Department’s National Protection and Programs Directorate.
“The United States is facing a grave economic and security challenge,” through information security breaches, said James Richberg, acting assistant director of national intelligence for cybersecurity in the Office of the National Intelligence Director.
Much of our cybersecurity resources are focused on remote network penetration and securing data from theft, Richberg said. Although these are critical issues, focusing on any one aspect of cybersecurity leaves our enterprises vulnerable to other lines of attack.
“We must develop ways to defend against all lines of threats,” he said. Those include insider and supply chain threats as well as remote penetrations; attacks from nations as well as from criminals, hackers or terrorists; and the destruction or manipulation of information as well as its threat.
The comments were made June 18 during a seminar hosted by GCN's affiliate publication, Federal Computer Week.
The Defense Department and the National Security Agency have led the way in much of the advancement in cybersecurity over the past decade, beginning with the Solar Sunrise penetrations by a pair of teenagers in 1998, said Richard Schaeffer Jr., NSA’s information assurance director.
“That was the beginning of the leadership at DOD realizing that we have a problem,” Schaeffer said. “Over the past 11 years, the DOD has made some great strides. We’ve come a hell of a long way, and we are accelerating at a terrific rate.”
The Comprehensive National Cyber Initiative from 2008 and this year’s cyber policy review represent a greater national consciousness of the problem, he said. But despite progress and growing awareness, the speakers agreed that the process of securing the information infrastructure will not be simple or easy, and probably never will be complete.
Key elements remaining to be addressed in strengthening cybersecurity include automating security with smarter, self-defending networks that can evaluate behavior, enforce policy and respond to incidents. Much of this process will require stronger identity management and authentication, they said. This would include not just persons using the systems, but machines and processes as well.
Another common theme is the need for stronger partnerships within government, between governments, and between government and the private sector. Progress has been made in partnering, Reitinger said, but operational cooperation between the public and private sectors still is lacking.
“I don’t think we’re there yet,” he said. “This is less about talk and more about do.”
To make these partnerships work, the private sector must insist that the public sector provides the assistance and information they need, Schaeffer said. “They must hold public partners accountable to be real partners.”
William Jackson is freelance writer and the author of the CyberEye blog.