Cyber 'epidemic' grows more urgent

Agencies need to expand work on standards, collaboration and public awareness

WILLIAMSBURG, Va. -- When the country was threatened with an H1N1 flu pandemic in 2009, nearly every sector of society got involved with educating the public. Agencies such as the Centers for Disease Control and Prevention set up websites, public-service TV ads were aired, schools preached good hygiene, and supermarkets posted signs and other advisories.

“Now, it’s a cyber epidemic,” said Bob Dix, vice president for U.S. government and critical infrastructure protection for Juniper Networks. “Why aren’t we educating people?”

Dix was speaking on a cybersecurity panel Oct. 25 at the Executive Leadership Conference, about the growing growing threats to cybersecurity. The panel was called “Taking it to the Net: Security Boon or Bane.” ELC, staged by the American Council for Technology and the Industry Advisory Council, took place in Williamsburg, Va.

Dix and the other panelists said the interconnected nature of systems has made all of them vulnerable, threatening both government systems and individuals. However, the panelists said, despite the urgency and the seriousness of the worry, the United States’ overall cyber defense isn’t strong enough.

“Right now, we’re a soft target,” said Sherri Ramsay, director of the National Security Agency/Central Security Service’s Threat Operations Center. “We’re very easy.”

Agencies are familiar with cyber threats, of course, but it’s a question of degree. “Nothing we’re talking about today is new,” Dix said. “What’s new is the threat is more severe.”

Making it tougher to penetrate systems involves a number of steps, including instituting security standards, getting agencies to share information more readily and raising awareness among the public, panelists said.

Some of those steps are already underway. Matt Coose, director of the Federal Network Security Branch of the Homeland Security Department’s National Cybersecurity Division, cited the work of NSA and the National Institute of Standards and Technology in creating the Security Content Automation Protocolswhich, he said, “have really come a long way.”

A next step, Coose said, is to take standards to the international level.

Ramsay said agencies also have gotten much better over the last few years at collaborating on security. She said about 30 entities around government take part in a teleconferenced meeting five days a week to discuss security. It’s typically a short meeting, but agency representatives get to talk about what’s going on with their networks, and it establishes a rapport that would prove helpful in an emergency.

“In a crisis, those meetings would go seven days a week, and probably several times a day,” Ramsay said.

Dix agreed that sharing information has become more common among security teams. “I’ve sat in meetings with people who never used to come to the table,” he said.

In addition to collaborating with each other, government agencies must also get the message out to the public, panelists said. “This solution is going to be driven by the market,” Dix said.

Ramsay said her presence on the panel was one sign that NSA was looking to raise security awareness. Two years ago, NSA would not have sent the director of its threat operations center to give public talks, she said. Now, she spends a fair amount of time doing just that.

Ultimately, collaboration must grow into an effort that covers all sectors. Dix said a lot of the pieces are in place now, but “the operational piece is what’s missing.”

Ramsay also called for a combined effort. “We absolutely have to have a Team Cyber” consisting of the public and private sectors and academia, she said, and which much be interoperable at the system, network, people and policy levels.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • businessman pressing brain button (Jirsak/Shutterstock.com)

    What's government's role in AI?

Reader Comments

Wed, Nov 10, 2010

If you’re wondering why the average person is ambivalent to computer security, I believe that the answer is multifaceted.

(1) Lack of personal impact: Most folks ignore security as long as their computer "works" or can be made to work with little to moderate inconvenience.

(2) Lack of knowledge: Folks don't know enough about the problem to understand the severity. Most persons are not technically savvy regarding the underpinning of the internet. Most assume that their ISPs are taking care of the larger, important problems.

(3) "Crisis Overload": Since nearly every important issue in today's society is presented as a "crisis", only those items that an individual readily understands [see items (1) & (2)] are embraced as true emergencies. Hence, only a small number of persons will view the issue as an emergency.

Thu, Oct 28, 2010 ChrisC

Security Configuration Protocols aren't the only task force agent out there. For instance just recently the DHS and the NSA have banned together with some of the top security agencies. For exmample, Red Seal is the top company working with our government to enforce rules and policies across the network using methods like security compliance, auditing, and solution testing.

Wed, Oct 27, 2010 Brian Kim

Are the groups of people online "enough"?

How many vectors can spawn in the geographies of underserved, underprividged, and forgotten?

Wed, Oct 27, 2010 Billy Beltway

"The Network is the Computer." Obviously, the network is infected and assuming we can make it perfectly healthy is fantasy. “You Have Zero Privacy Anyway. Get Over It”. The goal now should be protecting sensitive data - focusing on both disk level (bulk protecion) and file level (granular protection) of just one key, critical, sensitive data. That is the change we need. Strong pipes to move data are commonplace. Strong encryption for data-at-rest is well understood but not used. Coming soon, especially with TPM usage, will be keeping that data sorta protected while its in use. By limiting the total time sensitive data is available, we can greatly decrease it unauthorized release.

Wed, Oct 27, 2010 Richard Ordowich

I wonder if as part of an agency's security plan, they have included disconnecting themselves completely from the Internet as a contingency? This is obviously a worse case scenario but maybe necessary. How would the agency continue to operate without Internet access and what are the fall back plans? This contingency would eliminate all VPN access as well.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group