IT security focus moves from coders to lawyers

IT security focus moves from coders to lawyers

NSC's Jeffrey Hunker says most cyberattacks on governments are not sophisticated, but they're getting people's attention.

Cost of insuring against attack will establish its importance on government agendas, feds say

By William Jackson

GCN Staff

Establishing a legal framework has become essential for computer security, but 'we don't have that yet,' the National Security Council's Jeffrey Hunker says.

Only clear lines of liability tied to the costs of systems risks will make security a priority among senior managers, said Robert Miller, deputy director of the Commerce Department's Critical Infrastructure Assurance Office (CIAO).

'Auditors and insurance underwriters are playing an increasingly important role' in risk management by helping put price tags on security, Miller said.

Hunker and Miller were among the federal speakers at a global infrastructure protection conference that the Open Group, a consortium of information technology vendors and users, held last month in Arlington, Va.

Teamwork needed

The pair, along with other government speakers, emphasized the need for cooperation between the public and private sectors.

'It is a national security issue that the government by itself cannot address,' said Hunker, the National Security Council's senior director for critical infrastructure. Government networks are vulnerable to attack through commercial networks, and national transportation and energy grids are vulnerable to attacks through both, from individual hackers all the way up to coordinated efforts by hostile nations, Hunker said.

'The next major sets of conflicts that occur will have a major component of cyberwarfare,' he said.

A number of nations'friendly and not so friendly'have announced 'significant offensive cyberattack programs,' Hunker said. 'We know what they can do because we know what we can do. The problem is here, and it's only going to get worse.'

Cyberwarfare so far has not been terribly sophisticated, Hunker said. Revolutionaries in Sri Lanka and Mexico have defaced Web sites to attract attention to their causes.

'You saw it in the former Yugoslavia, and now you see it again in the fighting in the Middle East,' he said. But recent Web hacks and denial-of-service attacks against Arab and Israeli sites appear to be the work of individuals or groups of hackers rather than organized efforts by governments.

'It's not very sophisticated, but it's getting people's attention,' Hunker said. 'It is being used more persistently, and that trend is going to continue.'

In many cases, the technical ability to protect systems outstrips the will'private or governmental'to implement protection.

CIAO is working on Version 2.0 of a federal critical infrastructure protection plan, due out next year, and the emerging perception is that the issue is primarily one of risk management, Miller said.

Defining the limits of liability and setting prices for insurance will help set pricing mechanisms for risk management, speakers said.

'We've always regarded this as being as much an organizational and a leadership issue as a technical issue,' Hunker said. 'This is one of the major lessons from Y2K.'

The massive drive to prepare public and private systems for the year 2000 was spurred largely by legal and liability issues. Insurance companies put limits on the coverage they would provide and pressured customers to fix problems, Hunker said. 'That got people's attention.'

To help create the same kind of legal awareness for security, Hunker's office has held the first of a series of conferences with state bar associations, and it held five conferences last year with auditors and directors of organizations, he said.

But the jolt to make security an issue in the boardroom may come from the courtroom. 'We somehow have escaped massive litigation in that area,' Miller said. 'We can expect major class actions.'

Hunker agreed. 'The first day that a major New York trading house has its functions disrupted is going to be the day we see a multibillion-dollar lawsuit,' he said.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected