Better organization, focus needed for cybersecurity
- By William Jackson
- Apr 27, 2006
The government needs to establish clear lines of authority and clarify responsibility for an effective national information assurance policy, former presidential adviser Paul Kurtz said Thursday.
"We have a growing body of law and regulation bearing on information security," Kurtz said at the GovSec conference in Washington. But, "we are not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there."
Kurtz, executive director of the Cyber Security Industry Alliance, proposed a two-tiered framework for cybersecurity, in which critical functionality could be identified for government attention, while less pressing issues are passed to the private sector.
"The government doesn't have to solve everyone's problem here," Kurtz said. Market forces and self-interest could be leveraged to handle problems of public awareness, education and coordinating information.
Kurtz and Tom Leighton, chief scientist for the content delivery network operator Akamai Technologies, described cyberspace as a tough neighborhood that is getting tougher.
"We have to anticipate that terrorist groups will get involved in disrupting cyberinfrastructure," along with nation states, Kurtz said.
We also must anticipate that attacks will succeed, and build infrastructure to survive and respond to them, they said.
"We are under constant attack," Leighton said of Akamai's network. "At any given time, we have a lot of servers taken down. And it doesn't matter, because we direct traffic elsewhere."
Establishing an effective policy requires leadership. Kurtz called the still-vacant position of assistant secretary for cybersecurity in the Homeland Security Department critical to establishing a viable policy.
"Unfortunately, we're almost at a one-year anniversary, and we still don't have an assistant secretary in place," he said.
Kurtz referred to the government's response to Hurricane Katrina, in which primary responsibility for the efforts eventually devolved to the Defense Department. Knowing who will be needed to respond to a cyberdisaster is a critical part of establishing a policy.
"If we come under attack, it's going to be the geeks who restore the networks," he said. Identifying and organizing the personnel and resources needed for such a response should be done in advance.
William Jackson is freelance writer and the author of the CyberEye blog.