ARCHIVED 8/10/10

August 10, 2010


Kamala Lane, Washington Internet Daily, 08/10/2010

Protecting critical infrastructure from cyber attacks remains a joint effort between the private sector and the federal government, but it’s up to companies within 18 sectors to take the lead in protecting their networks, executives and government officials said. There are some obstacles to achieving this goal, they agreed. “We work with them to remove roadblocks, but we rely on them to have the operations expertise,” said Sean McGurk, deputy director for critical infrastructure protection and cyber awareness at the Department of Homeland Security. “They provide the day-to-day functions and services.” When it comes to providing electricity, “the federal government doesn’t keep the lights on,” he said.

The private sector owns and runs about 85 percent of critical infrastructure in the U.S., so “it’s up to the private sector to figure out how to innovate,” Symantec Government Relations Director Kevin Richards said. “Another area that’s critical for companies is setting standards with the National Institute of Standards and Technology and other government bodies.”

Developing standards, best practices and technology are areas where companies should take the lead on protecting networks, the Internet Security Alliance said. “To a large degree, they are doing that,” said President Larry Clinton. But there are hurdles, he said. “Most of the activity in the cybersecurity space has tended to be focused on how attacks occur,” instead of the economic factor making it easier for cyber criminals to strike. “All the economic incentives favor the attackers” because attacks are cheap, easy and a lot can be stolen, he said. The chances of an offender being caught and prosecuted are less than 1 percent, he added. Lack of incentives to develop better innovation, especially within smaller businesses, is another obstacle, speakers said. “The research shows that investment in cybersecurity is being deferred or reduced while the threats are increasing,” Clinton said. “The only way to get small companies involved in this is to make it economically worthwhile,” through tax breaks.

“Criminals know who doesn’t have strong information technology security systems in place,” Richards said. Symantec recommends adopting a safe harbor provision that protects companies that follow set standards from the fees associated with notifying customers. If a laptop is stolen, but the company has encrypted the data, “the company can avoid the cost that’s associated with notification as well as a possible legal liability,” Richards said.
Adopting more effective technology is a financial challenge for many businesses, McGurk said. “When you look at some of the technology that’s out there, it’s 10, 20, 30 years old, but by working with them [companies] we can try to commit the resources necessary to bring about that innovation.” The private sector also has a responsibility to be proactive in educating policy members, speakers said. “There clearly needs to be increased trust between the private and public sector, and both groups must maintain continuous, open lines of communication,” Cisco said in a written statement. “We need to do a better job at communicating and translating the challenges faced across both sectors.”

Two cybersecurity bills circulating in the Senate propose greater collaboration between government agencies and the private sector. Senate Majority Leader Harry Reid, D-Nev., expects to vote on a comprehensive bill in September. Symantec supports the efforts being made in Congress, but emphasized the need for “a flexible framework that’s balanced with strong private sector input.” A government-mandated “one size fits all standard will make it difficult for the private sector to innovate and foreign governments will follow suit,” Richards said. The major bills being considered in the Senate aren’t “that encouraging,” Clinton said. Congressional legislation “still looks at this as a technical operations issue that looks at technical fixes,” he said: The technical aspect is “probably the area that we’re doing the best in.”