The US secretary of Homeland Security Tom Ridge
has warned the IT industry that the nation's electronic
infrastructure presents "an attractive target for
terrorists".
Speaking to more than 300 IT executives at the first National
Cyber Security Summit in California, Ridge said everything from
electricity grids to banking transactions and telecommunications
depends on secure, reliable cyber networks, and terrorist groups
"know, as do we, that a few lines of code could ultimately wreak as
much havoc as a handful of bombs".
Ridge said the number of cyberattacks has continued to rise,
with more than 76,000 occurring in the first six months of this
year.
"Many of these are the work of hackers. Yet, we know the enemies
of freedom use the same technology that hackers do. And we know
that they are looking to strike in any manner that will cripple our
society."
Ridge also pressed the IT industry and the private businesses
that own and operate more than 85% of the US critical
infrastructures to "lead the way" in cybersecurity.
"The continued success of protecting our cyberspace depends on
the investment and commitment of each of you and the businesses you
represent," he said.
That commitment has come under increased scrutiny during the
past year as various studies and independent commissions have
concluded that market forces alone have not been enough to force
needed improvements in security.
Robert Liscouski, assistant secretary for infrastructure
protection at the Department of Homeland Security, said increased
government regulation remains a possibility should the private
sector fail to live up to its security responsibilities.
"The private sector owns the problem," said Liscouski. "[And]
there are a lot of people out there who are willing to legislate.
If that's what you want, I can promise you that you'll get it."
However, he added that the Bush administration does not think
that better security can be legislated or forced on the private
sector by the government.
"We're not going to let anybody who operates [a business] dodge
their responsibility. This is not about mollifying industry,"
Liscouski said.
And while mandatory reporting of cybersecurity incidents and
vulnerabilities is not something the department will be pushing,
Liscouski said other measures, such as regulation, can be used if
necessary.
Dan Verton writes for Computerworld