IT security is the industry's burden
- By William Jackson
- Oct 20, 2004
Paul Kurtz, cybersentinel
J. Adam Fenster
Paul Kurtz heads the Cyber Security Industry Alliance of Washington. But he spent most of his career at the State Department, where he began as an intern in 1986.
He worked at several bureaus, specializing in nonproliferation of weapons of mass destruction and in strategic arms control. Kurtz also served on arms control inspection teams in Iraq and North Korea before moving to the National Security Council in 1999. There he was director for counterterrorism in the Office of Transnational Threats.
As a member of the President's Critical Infrastructure Protection Board, Kurtz helped develop the National Strategy to Secure Cyberspace. He joined the White House's Homeland Security Council in 2003 and most recently was special assistant to the president and senior director for critical infrastructure protection.
Kurtz has a bachelor's degree in political science from Holy Cross College and a master's in international public policy from Johns Hopkins University's School of Advanced International Studies.
Kurtz spoke to GCN senior editor William Jackson.GCN: Why did you leave government for the private sector?
KURTZ: All told, I had about 18 years in the government. I started in 1986 and finished up with four years at the White House, working under both presidents Clinton and Bush. It was a tremendous experience working on counterterrorism, critical infrastructure protection and cybersecurity.
I got to the point that I felt I could make more of a contribution on cybersecurity in the private sector. The executives who asked me to lead the Cyber Security Industry Alliance are thoughtful, strong-willed people who want to make a difference.
The other half is that working counterterrorism for four years at the White House takes a toll'being available by beeper or phone 24 hours a day and always wondering what's going to blow up under you.GCN: What was the most positive thing you brought away from government service?
KURTZ: Working on the President's Critical Infrastructure Protection Board, which came into being shortly after Sept. 11, 2001, and was the precursor of the National Strategy to Secure Cyberspace.
I would also highlight December 2003 when the president signed the first directive for critical infrastructure protection. I principally drove that one through, which set up the relationships between the Homeland Security Department and other agencies. The president said we need a focal point within Homeland Security for cybersecurity.GCN: How well is the National Strategy to Secure Cyberspace being implemented?
KURTZ: I think the strategy is as relevant today as in February 2003. The staff that put it together worked very closely with the private sector and highlighted the major priorities to work on together.
But implementation has been weak for a variety of reasons. There was a drop-off in activity as Homeland Security was formed. The Information Analysis and Infrastructure Protection Directorate was late getting staffed.
I agree with DHS that we need to maintain an integration between physical and cybersecurity. But that doesn't mean that one has to be lower in the pecking order. There is a fundamental misunderstanding of the importance of cybersecurity in government and in the private sector.
Having a DHS assistant secretary paying attention to this on a full-time basis gives more attention to cybersecurity without taking away from the physical infrastructure.GCN: How does your alliance operate?
KURTZ: It is a public policy advocacy group formed by leaders of the IT security industry'13 members now. Prior to that, there was one-off activity within the industry. It didn't have a common voice.
We released a report on the National Information Assurance Partnership, which is the certification process for the Common Criteria. We identified problems we found.
Funding for cybersecurity R&D has been going down. We are identifying priorities that require more basic research funding by government.GCN: How significant is the threat of cyberterrorism?
KURTZ: I think the threat is significant to the financial markets, the energy grid, transportation. But we should be careful not to overstate it. To date, terrorist organizations have only used the Internet to communicate and coordinate.
If we cast cybersecurity as a national security issue, we won't reach the audience we need. It becomes a job for Uncle Sam to solve, whereas at the end of the day government has very limited means. The owners and operators of the infrastructure are in the private sector. If we approach it from a business risk viewpoint, steps taken by enterprises and home users will harden us against cyberterrorism. If we do it right, we will defend ourselves against the attacks that will come.GCN: There are millions of computer security incidents every year. Have any risen to the level of terrorism?
KURTZ: I can't think of any. But it's an interesting dance that is going on among the hacker organizations and the criminal organizations. Viruses get to a point and then stop or fall off. We've seen indications of what a terrorist attack could do, but just because we haven't seen a concrete example, we shouldn't think it won't happen.
GCN: How does the state of IT security in government compare with the private sector?
KURTZ: The federal government has made significant improvement in putting into place the authority and infrastructure to improve cybersecurity. There's a long road ahead. Both the Government Information Security Reform Act and its successor act have done a good job of setting requirements. The Office of Management and Budget continues to improve processes. But more needs to be done.
If you look at the resources OMB has to look into how the requirements are applied, it's pretty limited. There needs to be greater attention to having resources to support the laws that are in place.
Information security funding for the National Institute of Standards and Technology has not been enough to support the weight it has been asked to bear.
On the private side, the financial sector gets it. Telecommunications and the chemical sector are taking cybersecurity more seriously. I don't think the energy sector is there yet.GCN: Is it a coincidence that the financial sector is one of the most heavily regulated?
KURTZ: It was one of the first industries to form an information sharing and analysis center. They understand the importance of security to their business. Certainly regulation has had an impact, but I would argue they are showing real leadership and creativity.
A lot more attention needs to be paid to supervisory control and data acquisition systems, and a lot more work done on federal coordination. What is the level of coordination between the departments of Energy and Homeland Security and the Nuclear Regulatory Commission?
Users and vendors need to agree to a common set of information security principles. That requires senior-level attention on corporate boards, with regular review, and it requires training and policies to ensure that hardware and software are deployed securely.GCN: For years vendors have said they don't make secure products because customers don't want them. Is that changing?
KURTZ: There has been an evolution. The 1990s were a time of faster, better, easier to use. Around 2001, the Nimda worm became a wake-up call for a lot of suppliers.
Government can set an example and set the pace by making its own systems as secure as possible, given the business requirements and the risks accorded to each.
Government can also take the lead in contingency planning. What if we suffer a significant attack and the Internet comes down? How do we rebuild and communicate? That needs greater attention from Homeland Security. It can bring the private sector together with state and local governments and run what-if scenarios. The private sector really can't do it without leadership in the federal government to pull those pieces together.