Who best to avert data security disaster: government or business?

Kenneth Minihan has spent years dissecting the nation's physical and digital vulnerabilities as a retired Air Force lieutenant general, former director of the National Security Agency (NSA) and principal at Washington, D.C.-based Paladin Capital Group. He has

THE MERGING PHYSICAL-CYBER THREAT Hurricane Katrina and the 9-11 terrorist attacks demonstrated how physical catastrophe can kill companies. Security experts have long warned that an Internet-based disaster could have similar consequences.   As buildings and business processes become more computerized and companies grow more dependent on e-commerce, those tasked with enterprise security are having a harder time separating threats in the physical world from those in cyberspace.   In this three-day series, security officers describe how their operations are evolving to confront the combined threat; where they see the most damage potential and where they're finding the best survival tools.

"There's always a lingering halo effect," said Minihan, whose identity was stolen a decade ago after his information was published in the Congressional Record. Someone in Florida piled up debt using Minihan's name and Social Security number. As recently as this past year, another unpaid bill surfaced. "You always have to explain to someone why part of your credit rating is so bad. I've had to work to get my integrity back. I need my integrity intact so I can do my job and serve my country."

Now, Minihan said, picture the havoc someone can unleash by stealing personal information on millions of people by hacking into a company database from cyberspace. Picture the fatal damage it can do to the reputation of a company or government agency. "Today you can take stolen information and move through the Internet. Without the proper authentication, the bad guys can hide in plain sight, whether they're a thief or a terrorist," he said. "Now pick a business you're in. The reason I'm doing business with you is because of your integrity. If the database is penetrated and my name is stolen, that integrity is demolished. If you're a government agency and you've been hacked, your ability to serve the public is damaged. It's a big issue if you're a business and a national security issue if you're a government agency."

The danger isn't limited to damaged credit ratings and bruised reputations, he said. If a terrorist can break into a government network and steal sensitive data or even access someone's identity from a business database, the damage they can do to the physical or digital infrastructure is limitless. The question is whether government or the private sector has a bigger role to play in blunting these threats.

A Government Accountability Office [GAO] report published earlier this year took the U.S. Department of Homeland Security [DHS] to task for not doing enough to reach out to the private sector. It cited a growing risk in that large portions of the national infrastructure "are either unaware of key areas of cybersecurity risks or unprepared to effectively address cyberemergencies. Further, DHS continues to have difficulties in developing partnerships -- as called for in federal policy -- with other federal agencies, state and local governments, and [the] private sector."

Those interviewed said security challenges can't be handled by one sector alone. Government agencies and private firms must work together, sharing intelligence and technology while teaming up to boost public awareness.

Homeland security's foot soldiers
Having worked for the Air Force and NSA, Minihan said he understands government has a big role to play in keeping bad things from happening. Being an identity theft victim, he believes it's also critical that the private sector do its part.

Asked about the GAO report after its release last spring, Minihan said, "I agree DHS must be more open, but the business community must also reach out to DHS. Businesses need to be clearer on what they need from the government, so they can play a greater role in homeland security."

In the end, he said the first line of defense -- the front-line troops in the fight for homeland security -- are the IT professionals tasked with keeping digital criminals out of enterprise networks every day.

"In the Cold War, you paid your taxes and the government took care of national security," he said. "But in the 21st century, you don't need a uniform to serve. When I go out and speak to people, my goal is to talk about the larger infrastructure and how the first line of

Other parts in the series The threat with the most disaster potential Why the catastrophic cyberattack may never come Telework key to surviving security disaster, expert says Cybersecurity czar: DHS overhaul will improve preparedness

Vaults on cardboard boxes
Those foot soldiers face two huge challenges today, Minihan said. One is to improve the enterprise's method of authenticating people. Another is to address the software and hardware vulnerabilities criminals can exploit to break into databases or computerized physical spaces.

"The ability for us to network has far outpaced our ability to protect ourselves because the focus has been on efficiency over security," he said. "Today, probably 90% of critical infrastructure is shared by the private and public sector. All the vulnerabilities that were once limited to the private sector are now in the public sector as well."

One problem is that organizations are putting "vaults on cardboard boxes," he said. In other words, enterprises will spend a lot of money to put locks on doors and motion detectors in restricted areas. But if the network is running programs with security holes, those measures won't help.

"In the physical security area, we've thought in terms of how many fences and video cameras are in place," he said. "But there are many more flaws to the infrastructure that're sitting behind the fence. You don't have to enter a building to penetrate the database or undermine the power grid."

A bank can lock doors and keep its money in the safe. But in an online transaction where information leaves the bank, those vaults and locks don't matter, he said, adding, "If you're a thief or a terrorist you no longer need to go through the vault."

His advice to enterprises is to focus first on policies and technologies to improve how online users are authenticated. "It all comes back to authentication," he said. "You need the policies and technology to ensure people are who they say they are."

What the government is doing
Andy Purdy, the Department of Homeland Security's cybersecurity director, declined to comment on the GAO report. But, he said, a significant reorganization is taking place within the department that will bolster the security of America's digital infrastructure.

DHS Secretary Michael Chertoff unveiled the restructuring plan in July. Under the new chain of command, an assistant secretary of cyber and telecommunications will answer to an undersecretary for preparedness. According to the DHS's statement on the restructuring, the assistant secretary "will be responsible for identifying and assessing the vulnerability of critical telecommunications infrastructure and assets; providing timely, actionable and valuable threat information; and leading the national response to cyber and telecommunications attacks."

In all, the changes are designed to add clout to a position many security experts and politicians have criticized as one without influence. Indeed, the office Purdy now holds has had a revolving door with directors like Richard Clarke, Howard Schmidt and Amit Yoran coming and going.

While he wouldn't discuss the GAO report directly, Purdy did defend DHS' outreach efforts to the private sector. He said the U.S. Computer Emergency Readiness Team (US-CERT), founded two years ago, is the perfect example of the government reaching out to private enterprise. "It's our watch and warning system, the place where active guidance is sent out [to private companies]," he said.

Asked who has a bigger security role to play -- government or the private sector -- Purdy said, "It's difficult to say that one or the other is more important. Both are essential."

He said it's the government's responsibility to raise awareness and partner with private companies "so we are ready to mitigate the greatest risks and work together if a serious cyber incident occurs."