Need to read:
The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security.
“The IT Sector Baseline Risk Assessment is an example of what can happen when public and private sector partners work together and represents a major step forward in mitigating risks to critical infrastructure functions that are essential to both homeland and economic security,” said DHS Assistant Secretary for Cybersecurity and Communications Gregory Schaffer. “While elements of the assessment have already been adopted, the establishment of this iterative platform for assessing IT sector risk will also enable us to address ever more sophisticated threats.”
IT Sector Baseline Risk Assessment (PDF, 114 pages – 3.37 MB)
Interesting implications from this post:
“Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “That’s a legitimate question, and I think DoD will resist having that happen. But there are issues of authorities that haven’t been cleared up. What authorities does DoD have to do things outside the dot-mil space?”
This is a serious concern, especially given that pc’s in your home are the foot soldiers:
Owners of machines forming a botnet typically do not know their computer has been hijacked and home users account for 95% of all attacks mounted by botnets, according to figures from security firm Symantec.
Public computers are fair game too. See this story in NYT about Iranian hackers capturing University System of Oregon computers.
At least, that is the summary of this article from the BBC:
- “We have seen some good initiatives from industry on improving the trustworthiness of software. What I am hoping to see from government with this new post is more involvement in standards and education efforts in security.” Benjamin Jun, Cryptology Research
- “We need to have a new security paradigm in the future,We need to have a clear idea of what our society should be at the end of the decade so this problem is addressed adequately. We must use this crisis to make the right changes.” Mark Cohn, VP Enterprise Security, Unisys
- “The first order of business has to be to draw attention to the subject and then start working with all the agencies and organisations throughout industry and government. You have to be able to kick all these different groups in the seat of the pants to get them moving in the same direction.” Ken Silva, CTO – Verisign
- “A key component will be co-operation and collaboration. There has been an ad hoc approach to this in law enforcement with perpetrators of a digital breach in one country while the act has happened in another.” Liesyl Franz — Tech America
Seems Internet2, EduCause, and a bunch of other folks want to be the driver (as this whitepaper says) for the ARRA Broadband initiative:
The potential for America’s future is limitless if we support the unique innovative strengths of our colleges and universities, working with other public and private sector partners to expand access to and breadth of broadband services for all of America. The robust advanced network infrastructure put into place by the research and education community and its partners is ready to
serve as the foundation and springboard for the nation’s broadband strategy under the ARRA. We have a cohesive and comprehensive plan and the engine is ready. All that is needed is the
fuel to drive it. Our institutions of higher education are the right core engine to launch the ARRA broadband strategy.
Check out this paper on Cybersecurity
In her remarks, she made lots of references to Mission Impossible (e.g. this message will self destruct). But the only real substance is contained here:
- It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential
of the information technology revolution.
- no single agency has a broad enough perspective to match the sweep of the challenges
- requires leading from the top — from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library
- We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action
- There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations
- Government and industry leaders, both here and abroad, need to delineate roles and responsibilities, balance capabilities, and take ownership of the problem to develop holistic solutions
- Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure.
- Can we call for changes in widely shared norms?
- Are we ready to talk openly about the challenges we face and how we share the
responsibility for reversing the trend?
- Can we create the conditions where innovation and security are mutually reinforcing and
treat them as an integrated and synergistic whole?
- Can government and the private sector, national and international parties, accelerate the
changes we need?
- And, if not us, then who?
- If not now, then when?
SecurityFix describes the Adobe vs cybersec community discourse concerning a flaw that was discovered last year. The organizations noted in this report represent a volunteer group (shadowserver), a proprietary intrusion prevention company (Sourcefire). No government organizations mentioned regarding an event that touches many users across all organizational sectors.
There is a blog (VRT) that reports on findings from the Sourcefire research team.