The Board of Directors of the Internet Security Alliance (ISA) today urged the Obama Administration to set a new direction in assuring our nation’s cyber infrastructure modeled on the social contracts that government created with industry for infrastructure development in the last century.
“Virtually every aspect of American life is now dependent on this electronic infrastructure, which is under attack and is growing increasingly vulnerable,” said ISA President Larry Clinton. “The issue is far more serious than the unauthorized release of financial data. A third of our country’s wealth travels across these systems every day, and our financial systems, communications network, defense industrial base and manufacturing infrastructure are under constant attack from criminals, nation states and terrorists,” Clinton explained.
“The voluntary partnership model of the Bush Administration did not work adequately. However, a centralized set of regulatory mandates will not meet this international and quickly evolving problem, and might even be counter productive,” Clinton said.
ISA called for a different and more aggressive approach, ‘a third way’, where government must be willing to provide market incentives for industry to adopt security procedures that go beyond their own business plans to address the general public’s interest. The Alliance’s Board released a 50 page set of recommendations outlining ways to achieve that goal, Cyber Security Social Contract: Policy Recommendation for the Obama Administrationand the 111th Congress.
ISA Board Members, composed of top security professionals in defense, finance, communications, “IT”, manufacturing and the academic community, have each written chapters for the report related specifically to their area of the economy. Each chapter identifies what these professionals believe are the biggest problems facing their sector, the biggest obstacles that need to be overcome and what the federal government can best do both long and short term to help them.
“The good news, said Clinton, is that we actually do know a great deal about how to secure our cyber systems. Independent research and anecdotal reports from information security officials both indicate that as much as 80 to 90% of our current problem could be successfully addressed if we simply get people to adopt the security practices that have been demonstrated to work.”
Clinton said “The US can have a great deal of success in this fight, and fairly quickly, but for that to happen the government will need to accept some ‘inconvenient truths’.”
First, Clinton said, there needs to be a fundamental rethinking, and understanding, that cyber security is not an “IT” problem, but rather a system wide problem that will require an enterprise wide, risk management solution.
Second, while the national economy is very much at stake, the US government cannot mandate a solution on cyber security. “If it attempts to there could be significant economic repercussions because this is now a global economy and an international problem,” he said.
Third, the government needs to accept that since the vast majority of the infrastructure is in private hands it needs to work with industry at a business level plan. “By examining the social contract model used in the 1900’s to develop utilities, we have proposed a different approach to successfully address our constantly changing cyber security needs,” Clinton said.
“We hope that our recommendations open a dialogue that will help make the United States the world’s leader in 21st century cyber security,” Clinton concluded.