Securing critical infrastructure needs holistic approach, panel says

Securing the nation’s and the world’s increasingly critical, connected and diverse information infrastructure requires a holistic view of cybersecurity, rather than a focus on specific technologies, threats and delivery vectors, according to a panel of government security officials.

“Security is all about mission” and not about networks or specific assets, said Phillip Reitinger, deputy undersecretary of the Homeland Security Department’s National Protection and Programs Directorate.

“The United States is facing a grave economic and security challenge,” through information security breaches, said James Richberg, acting assistant director of national intelligence for cybersecurity in the Office of the National Intelligence Director.

Much of our cybersecurity resources are focused on remote network penetration and securing data from theft, Richberg said. Although these are critical issues, focusing on any one aspect of cybersecurity leaves our enterprises vulnerable to other lines of attack.

“We must develop ways to defend against all lines of threats,” he said. Those include insider and supply chain threats as well as remote penetrations; attacks from nations as well as from criminals, hackers or terrorists; and the destruction or manipulation of information as well as its threat.

The comments were made June 18 during a seminar hosted by GCN's affiliate publication, Federal Computer Week.

The Defense Department and the National Security Agency have led the way in much of the advancement in cybersecurity over the past decade, beginning with the Solar Sunrise penetrations by a pair of teenagers in 1998, said Richard Schaeffer Jr., NSA’s information assurance director.

“That was the beginning of the leadership at DOD realizing that we have a problem,” Schaeffer said. “Over the past 11 years, the DOD has made some great strides. We’ve come a hell of a long way, and we are accelerating at a terrific rate.”

The Comprehensive National Cyber Initiative from 2008 and this year’s cyber policy review represent a greater national consciousness of the problem, he said. But despite progress and growing awareness, the speakers agreed that the process of securing the information infrastructure will not be simple or easy, and probably never will be complete.

Key elements remaining to be addressed in strengthening cybersecurity include automating security with smarter, self-defending networks that can evaluate behavior, enforce policy and respond to incidents. Much of this process will require stronger identity management and authentication, they said. This would include not just persons using the systems, but machines and processes as well.

Another common theme is the need for stronger partnerships within government, between governments, and between government and the private sector. Progress has been made in partnering, Reitinger said, but operational cooperation between the public and private sectors still is lacking.

“I don’t think we’re there yet,” he said. “This is less about talk and more about do.”

To make these partnerships work, the private sector must insist that the public sector provides the assistance and information they need, Schaeffer said. “They must hold public partners accountable to be real partners.”

Reader Comments

Mon, Aug 10, 2009 Anonymous Pelosi

The biggest challenge faced by our government IT professionals is size and bureaucracy. A command and control approach is only so effective when trying to monitor and manage the numerous and disparate agency IT operations. With groups containing only a few users to single subnets with 1000s of users, each office or regional manager should have 100% visibility and knowledge about their IT operations. Most do not. Our government IT systems, outsourced at multiple levels and layers, can't possibly be well-run. Complexity is the enemy of efficiency and getting things. Holistic approach, indeed. I just can't see reconciling getting things done when the simple things seem to be so difficult.

Wed, Jun 24, 2009

All networks, to be secure, must employ asymmetry authentication deployed as PKI. This is essential to establishing trust and ownership. Their are few governmental contractors that have the technology and know how to implement this solution. ORC/Widepoint being one of them. They currently do the credentialing for DoD. TK

Sat, Jun 20, 2009 Kevin DC

What most people do not realize is that a fair portion of our critical infrastructure is old and outdated. That means the hardware/software is not supported any longer. No updates, no security patches and no help! That means we have to replace all that outdated /obsolete equipment. Now that will drive the cost to protect our critical infrastructure significantly higher. Current estimates project the cost to range between $55 and $65 billion a year through 2012.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above