Cybersecurity policy takes cooperation, trust, experts say

NEW YORK -- When William Pelgrin became director of cybersecurity and critical infrastructure coordination for New York state three years ago, his resources were practically zero.

"It was a daunting task to be in charge of cybersecurity back then," he said. "We had no authority, no budget and no legislative backing."

Today, his department has all three. What's changed? Consumers, private companies and government agencies are more aware of threats like spyware, worms and online data thieves. But he cites another important factor: trust.

"We learned to make an impact with few resources by getting people at the CEO/commissioner level involved," Pelgrin said. "We had to figure out how to get them to understand the threats. We had to make the challenges real."

His department held hacking demonstrations with up to 30 state commissioners. Using two machines, his team showed how one person can hack the other and lift sensitive data. "That made it real," he said. "It was the first time their mouths dropped."

Cybersecurity policy: Cybersecurity czar: DHS overhaul will improve preparedness: The Department of Homeland Security's cybersecurity chief says a planned agency overhaul will bolster the fight against digital danger. Who best to avert a security disaster: government or business?  People look to government to prevent catastrophe. But in the Information Age, some of those people, namely those working in IT shops, need to do their part to protect us.

From then on, officials were willing to work together on a state cybersecurity policy everyone could live with. Pelgrin's office used similar techniques to get lower-level users involved, conducting phishing exercises in which workers were targets of simulated attacks.

Sharing information and bringing departments together is a recurring theme at this year's Infosecurity Conference & Exhibition. Wednesday, industry luminaries explained that security officers are more likely to succeed when they sacrifice a little control in order to build trust with other department heads. Share information with them and they'll be more likely to share with you, experts said. Then, by committee, the department heads can craft effective security policies and help top executives understand the need for certain technological investments.

"[Effective security] is not just about technology," said Howard Schmidt, a former Microsoft CSO, eBay CISO and White House cybersecurity advisor. "Companies need to have security councils and business risk councils where the legal people, the HR people, the IT people and the business owners are working together to hammer out a policy."

By contrast, he said, IT security officers are less likely to succeed when they try to sell their policy and investment proposals to CEOs by claiming that the sky is falling.

"Get buy-in across the board," Schmidt said. "It's hard in the beginning because you want control. You don't have that in a group setting. But the group will devise a common plan" that's more likely to succeed.

But security by committee only works when the players are willing to share their weaknesses, Pelgrin said. "In state government, there's a fear of shame over the information you share," he said. "There has to be a safe haven, where sharing doesn't translate into blame. When people know they won't be shamed, they feel freer to contribute information. And ultimately, through that atmosphere, you build trust."

And while trust and sharing is critical among department heads within an enterprise, it's also a must between public and private entities encompassing the national and global infrastructure, said Andy Purdy, director of the Department of Homeland Security's (DHS) National Cyber Security Division.

"DHS has been pushing for more strategic sharing between the public and private sector," he said. "The challenge is for government agencies and private companies to understand the broader purpose and find a way to make it easier to share analysis on malicious activity. We need to keep working together on this and be thinking ahead on how to deal with potential disasters, including cyberdisasters."

Former DHS Secretary Tom Ridge echoed that sentiment during a keynote address to conference attendees. He said Sept. 11 didn't make the nation more vulnerable. "It just exposed us to the fact that we are vulnerable," he said. Since the attacks, the challenge for the public and private sectors has been to manage risk and have security without grinding business to a halt.

"Millions of shipping containers enter this country and people come in and out every day," he said. "You can't eliminate risk with finite resources. You have to set priorities and manage the risk. [The public and private sectors] have to plan for the possibility that there will be a widespread attack with loss of life and other catastrophic consequences."

While the government has been focused on homeland security for the last four years, Ridge told attendees that in the end, "the critical mass of intellect on best practices and solutions is in the private sector, and without a partnership with the private sector the government's mission can't be effective."