US challenges IT industry on cybersecurity

The US secretary of Homeland Security Tom Ridge has warned the IT industry that the nation's electronic infrastructure presents...

The US secretary of Homeland Security Tom Ridge has warned the IT industry that the nation's electronic infrastructure presents "an attractive target for terrorists".

Speaking to more than 300 IT executives at the first National Cyber Security Summit in California, Ridge said everything from electricity grids to banking transactions and telecommunications depends on secure, reliable cyber networks, and terrorist groups "know, as do we, that a few lines of code could ultimately wreak as much havoc as a handful of bombs". 

Ridge said the number of cyberattacks has continued to rise, with more than 76,000 occurring in the first six months of this year.

"Many of these are the work of hackers. Yet, we know the enemies of freedom use the same technology that hackers do. And we know that they are looking to strike in any manner that will cripple our society." 

Ridge also pressed the IT industry and the private businesses that own and operate more than 85% of the US critical infrastructures to "lead the way" in cybersecurity.

"The continued success of protecting our cyberspace depends on the investment and commitment of each of you and the businesses you represent," he said. 

That commitment has come under increased scrutiny during the past year as various studies and independent commissions have concluded that market forces alone have not been enough to force needed improvements in security.

Robert Liscouski, assistant secretary for infrastructure protection at the Department of Homeland Security, said increased government regulation remains a possibility should the private sector fail to live up to its security responsibilities. 

"The private sector owns the problem," said Liscouski. "[And] there are a lot of people out there who are willing to legislate. If that's what you want, I can promise you that you'll get it."

However, he added that the Bush administration does not think that better security can be legislated or forced on the private sector by the government. 

"We're not going to let anybody who operates [a business] dodge their responsibility. This is not about mollifying industry," Liscouski  said. 

And while mandatory reporting of cybersecurity incidents and vulnerabilities is not something the department will be pushing, Liscouski said other measures, such as regulation, can be used if necessary.

Dan Verton writes for Computerworld


Read more on IT risk management