Liscouski Cites Milestones Offers Industry Options
Department of Homeland Security Secretary Tom Ridge recently characterized the cyber networks that connect everything from electricity grids to financial transactions as a “vast electronic nervous system [that] operates much of our nation’s physical infrastructure.” Given the poor state of cybersecurity, how much progress has been made to guard against the equivalent of a cybernervous breakdown?
“We can say anecdotally as well as quantitatively that programs today are better than they were before 9-11,” says Robert Liscouski, assistant director for infrastructure protection at the Department of Homeland Security (DHS), who spoke recently with Security Management about the government’s cybersecurity efforts.
Liscouski calls the creation of the DHS a “milestone” that allows “a coordinated approach toward implementing security strategies and protection strategies across the federal government and the private sector.” He says that thanks to the partnerships created with the private sector, with state and local law enforcement, and across the federal government, the country is “at a much higher state of both capability and preparedness than we were prior to the creation of DHS.”
The first step toward hardening the nation’s cyber infrastructure was to ensure that responsibility for computer security issues was centralized in DHS, he says. “The creation of the National Cyber Security Division [NCSD] did not exist in the Homeland Security Act, but Secretary Ridge took this initiative to integrate cyber and physical security under one directorate to make sure we had a consistent, holistic look for security programs.”
Amit Yoran, a former Symantec executive, was appointed the head of the NCSD in September. Liscouski calls Yoran’s appointment and the creation late last year of US-CERT, a partnership between the NCSD and Carnegie-Mellon’s CERT Coordination Center, the two biggest accomplishments toward improving the nation’s cybersecurity. US-CERT combines a number of existing initiatives that gather, analyze, and disseminate information pertaining to cyberthreats.
“The creation of the US-CERT allows us to take a much more coordinated look across the broad spectrum of users to make sure that we get good incident reporting as well as good practices and remediation responses back into the community to ensure that they can become protected against cyberattacks,” says Liscouski.
“The work that Amit is doing,” explains Liscouski, “is very deliberate in its path of bringing all these entities under one roof, with single coordination of management to ensure that we have a consistent and effective message out to the user community on what the threats and what the remediation requirements are.”
Not everyone champions the effort. Computer expert Marcus Ranum is skeptical that US-CERT will work. Most CERTs simply “reprocess a stream of vulnerability announcements from third parties,” adding nothing of value, he says. A national effort will also face political obstacles, he adds. “Having a US-CERT is going to step across the turf boundaries of all the smaller-agency CERTs and some of them will be unhappy about that,” he says. “My guess is it’s just going to be a load of thrashing and meetings and nothing will come of it.”
Liscouski says he takes seriously criticisms of the information-sharing groups that have had only limited success thus far. The National Cyber Security Summit, which convened in December, brought together players from the public and private sectors to ensure that US-CERT is effective allowing industry representatives to recommend measures to improve cybersecurity and ways to enforce those measures, he says.
“We want to stay away from mandating and legislating requirements,” he says, “because then you typically do what you’re being audited against, and you don’t necessarily do what good practices tell you to do.”
However, if self-regulation is not achieved, a less appealing solution will be found. “I think we’ll be able to prove the case that industry can act responsibly and they know how to make their [cybersecurity] investments,” he says. “If they can’t, the government’s not going to just sit back and say we tried but we couldn’t. We’ll take a more aggressive approach.”