On Between the Lines, Dan Farber reports back
from the RSA 2007 Conference, where Greg Garcia, the Department of Homeland Security assistant secretary for cybersecurity and telecommunications, described the security problems inherent in a totally IP-connected world.
"The next ten years there will be a single integrated IP network that serves all needs," Garcia said. A billion devices connected globally create what Garcia called a "breeding ground for security problems," with blurred boundaries across the more flattened globe of the 21st century. "I spent my career defending and promoting globalization, but now as part of the government I have new perspective," Garcia said. "The more IT becomes global–design, manufacturing and outsourcing–the more opportunities for vulnerabilities to be introduced along the supply chain."
Dan notes that incident reports to the U.S. Computer Emergency Readiness Team increased to 23,000 incidents, up from 5,000 in 2005. An annual report released by the Cyber Security Industry Alliance gave the U.S. cybersecurity efforts a barely passing "D" grade. Garcia attributes the problems not to lack of technology but lack of will and commitment. "The will was lacking because it wasn't clear where the leadership was," Garcia said.
Ultimately, security is based on every participant on the network applying security best practices. "If we all ... [followed the guidelines], we would see dramatic and measurable improvement against cybercriminals, terrorists and hackers."
"I would like us all and our friends in Congress to consider what incentives, legislation or commercialization would make business case for making the investments [in improving security]," Garcia said. The incentive would be focused on coming up with better technology, standards and practices to drive ROI. "It's complicated. For every stakeholder there is a different case to be made. There is no one-size-fits-all or single technology mandate."
"We are all vulnerable and we all need to partner," Garcia said. "Over the next year we want to look back and see robust infrastructure for information sharing and incident response. Everyone has a piece of the puzzle and can contribute intelligence and analysis into what is happening on the network and get information back and take responsibilty for fixing the network."