Five industry/government task forces have delivered to
the US Department of Homeland Security specific action plans to
achieve the cybersecurity goals outlined in the Bush
administration's National Strategy to Secure Cyber
Space.
After two days of meetings, the task forces emerged with lists
of specific programmes and initiatives, which officials said they
hope to put in motion by March 2004. The five categories covered
include cybersecurity awareness, early warning, corporate
governance, technical standards and secure software development and
maintenance.
"We've moved from strategy to implementation," said Amit Yoran,
director of the National Cyber Security Division at the DHS.
He said the summit was the first step on a long journey and
warned the IT community that the threat of cyberterrorism means the
nation's cybersecurity practitioners will need to think differently
about how technology can be used against the country.
Howard Schmidt, chief security officer at eBay, served as
co-chairman of the cybersecurity awareness task force. He outlined
a plan to raise awareness about the importance of cybersecurity,
including the development of a cybersecurity excellence award
programme for state and local governments and a public safety
announcement effort that focuses on individual responsibility.
The goal is "to instill a sense of civic duty in the home user
community", said Schmidt.
Guy Copeland, special assistant to the CEO of Computer Sciences
and co-chairman of the early-warning task force, said his group
wants to have a detailed planning document ready by 17 December,
although many issues have yet to be tackled. For example, his task
force wrestled with questions about what type of information is
needed for early warnings and who should get that information.
The challenge of cybersecurity goes far beyond technology,
according to Art Coviello, president and CEO of RSA Security and
co-chairman of the corporate governance task force. He said the
task force will recommend that information security be made a
subset of the internal controls that CEOs are required to
maintain.
His task force aims to complete a framework for implementing its
overall plan by 1 March 2004. The group hopes to distill knowledge
about corporate governance into a central repository that CEOs can
use; to develop guidelines for implementing the framework at
organisations of different sizes and in different industries; and
establish a way to measure compliance.
Ed Roback, chief of the Computer Security Division at the
National Institute of Standards and Technology and co-chairman of
the technical standards task force, said one of the main priorities
for his group will be to help systems administrators configure
products for optimal security.
However, the question that remains unanswered, said Roback, is
whether software suppliers have a responsibility to deliver
products configured securely and with install scripts that ensure
that default configurations are set for optimal security.
Catherine Allen, CEO of BITS and co-chairman of the task force
handling secure software development, said members of her task
force are developing a white paper covering the education and
certification requirements for software developers that will
emphasise the economic benefits of hiring certified developers. The
task force will also propose a new set of practices which, Allen
said, could reduce defects in the software development process and
in products.
Dan Vertonwrites for IDG News
Service