​

The President’s National Strategy to Secure Cyberspace was released in September 2002 to some grumbling that its reliance on guidelines, rather than government mandates, rendered it toothless. To help encourage the private sector to voluntarily achieve the goals set out in the strategy, the Department of Homeland Security (DHS) held a National Cyber Security Summit in December.

The goals of the summit were to gain industry engagement and to forge “a partnership in identifying common objectives and common solutions” to pressing problems such as information sharing between public and private sectors, according to Robert Liscouski, assistant director for infrastructure protection at DHS.

At the summit, five task forces comprising industry and government representatives were formed, covering cybersecurity awareness, early warning, corporate governance, technical standards, and secure software development and maintenance.

To go from strategy to implementation, stockholders have to look at the hurdles and tactical problems that might arise, says Parveen Jain, president of McAfee Network Protection Solutions, who attended the summit. By bringing the experts from industry and government together, summit sponsors hoped that these potential pitfalls could be identified and that ways to remediate them could be found.

A key factor in the success of any cybersecurity program proposed by DHS would be for industry to feel ownership in the solution, which was another aim of the summit, says Liscouski. Summit participants concurred that this approach could work. “What’s different here is that we’ve pulled together a lot of key players in the public and private sectors, agreed on some common principles of the framework, and now we’re putting together a plan to get to the next stage,” explains Shannon Kellogg, director of government affairs for RSA Security. Kellogg says he is confident that progress toward cybersecurity is being made, and he points to the hands-on participation at the summit by Liscouski and Amit Yoran, head of the DHS National Cyber Security Division.

The task-force members have been meeting since the December summit and by March are expected to complete their first reports to the industry associations (such as the Information Technology Association of America) that sponsored them. Another summit will be held at some point, in addition to follow-on collaborative events. The task-force members are expected to take the initiative in ensuring that recommendations are put into effect within their own organizations.

Kellogg served on the summit’s corporate governance task force. This group discussed the existing IT security governance landscape; for example, some elements of accountability are laid out in the Federal Information Security Management Act (FISMA) standards. The group looked at ways to create incentives that would encourage voluntary industry participation.

Kellogg says that the Y2K model—where companies needed to report their Y2K readiness in quarterly filings with the Securities and Exchange Commission—was one approach considered. Part of what made that model work was the creation by Congress of a safe harbor, which offered companies some relief from Y2K-related litigation. “It’s not an exact model for talking about security,” Kellogg says, but it’s a starting point for discussions.

Another model discussed was the Baldrige total quality concept that swept American industry from the 1980s. “There was a fair amount of apprehension at first on behalf of private industry that the whole concept of quality would cost more and so on, but again and again the Secretary of Commerce hammered home how important this was and businesses stepped up to the plate, and it became very much a part of increasing productivity,” Kellogg states.

Kellogg says that the DHS has made it clear that if an industry-owned solution cannot be agreed on and implemented, the government is perfectly willing to push for the legislation.