RSA 2007: DHS's Greg Garcia gets organized for cybersecurity battle

At a town hall meeting at the RSA 2007 Conference in San Francisco, Greg Garcia, the Department of Homeland Security assistant secretary for cybersecurity and telecommunications, described the environment in which his agency operates:

"The next ten years there will be a single integrated IP network that serves all needs," Garcia said. A billion devices connected globally create what Garcia called a "breeding ground for security problems," with blurred boundaries across the more flattened globe of the 21st century. "I spent my career defending and promoting globalization, but now as part of the government I have new perspective," Garcia said. "The more IT becomes global--design, manufacturing and outsourcing--the more opportunities for vulnerabilities to be introduced along the supply chain."  

He described the adversary as sophisticated, nimble and organized, and as motivated by economic gain, causing  damage, espionage, revenge and publicity. "They are better organized, but we are getting organized in a systematic way. We need your sense of urgency and to make cybersecurity a habit," Garcia said to the assembled crowd.

Garcia, who was formerly vice president at the Information Technology Association of America, faces an uphill battle. In 2006, incidents report to the U.S. Computer Emergency Readiness Team increased to 23,000 incidents, up from 5,000 in 2005, according to Jerry Dixon, deputy director of the DHS's National Cyber Security Division. So far this year, with increased reporting, 19,000 incidents have been cataloged. Phishing attacks result in $1 billion annually in losses, Garcia said, and vital control systems connected to the Internet are especially vulnerable. An annual report released by the Cyber Security Industry Alliance gave the U.S. cybersecurity efforts a barely passing "D" grade.

He noted some progress in the last four years since the National Strategy to Secure Cyberspace was published, but attributed the lack of significant progress against cybercrime to a past lack of leadership and will--which he intends to supply.

There hasn't been a shortage of solutions," Garcia said. "It is just shortage of leadership and will." "I am here to see that the hard work comes to fruition."

After the session, Garcia told me that he sees an upward trajectory, partly due to having an assistant secretary for cybersecurity and telecommunications in place as the chief coordinator of the moving parts.

"The will was lacking because it wasn't clear where the leadership was," Garcia said. He added that he had been meeting with vendors as well as representatives of the private sector, from financial services, insurance and automotive sectors, and seeing more of a sense of collective response to security issues.

He encouraged every participant--public, private and non-profit sectors--to invest in fundamental security building blocks, which he listed as follows:

• Performing risk assessments
• Establishing security policy according to risk profiles
• Investing in and upgrading technology solutions, systems, and training
• Continue to test and audit and fix systems, and then start again

Garcia noted that many references exist that provide guidelines on how to develop more secure infrastructure. "If we all did that [follow the guidelines], we would see dramatic and measurable improvement against cybercriminals, terrorists and hackers."

One of the issues in following the guidelines is cost. Corporations have had to spend significant amounts on regulatory compliance in recent years, and allocating budget for implementing more  robust security infrastructure isn't a lock. Garcia is hoping to hold Congressional hearings and establish dialog with the private sector to consider incentives.

"I would like us all and our friends in Congress to consider what incentives, legislation or commercialization would make business case for making the investments [in improving security]," Garcia said. The incentive would be focused on coming up with better technology, standards and practices to drive ROI. "It's complicated. For every stakeholder there is a different case to be made. There is no one-size-fits-all or single technology mandate." Nor does Garcia want to be responsible for setting technology standards.

Part of Garcia's strategy is to work with federal agencies to adopt common security policies and try to lead by example, and to work with the private sector to integrate incident response and strengthen national preparedness. "Any company that operates a network and manages proprietary and business sensitive information that connects to the public network should seriously consider participating in the ISACs (Information Sharing and Analysis Centers)," Garcia said. This month the U.S. CERT (Computer Emergency Readiness Team) in collaboration with a few ISACs set up a "defender" real-time view of what is happening on networks.

"We are all vulnerable and we all need to partner," Garcia said. "Over the next year we want to look back and see robust infrastructure for information sharing and incident response. Everyone has a piece of the puzzle and can contribute intelligence and analysis into what is happening on the network and get information back and take responsibilty for fixing the network." 

Garcia is saying all the right things. He talked about building awareness for cybersecurity as a key initiative, and cited the cliche that protection is only as strong as the weakest link. His challenge, and measure of success for the DHS's latest cybersecurity efforts, will be in finding and shoring up the many weak links that give cybercriminals a big edge.