Cybersecurity task forces prepare for action

Five industry/government task forces have delivered to the US Department of Homeland Security specific action plans to achieve...

Five industry/government task forces have delivered to the US Department of Homeland Security specific action plans to achieve the cybersecurity goals outlined in the Bush administration's National Strategy to Secure Cyber Space.

After two days of meetings, the task forces emerged with lists of specific programmes and initiatives, which officials said they hope to put in motion by March 2004. The five categories covered include cybersecurity awareness, early warning, corporate governance, technical standards and secure software development and maintenance.

"We've moved from strategy to implementation," said Amit Yoran, director of the National Cyber Security Division at the DHS.

He said the summit was the first step on a long journey and warned the IT community that the threat of cyberterrorism means the nation's cybersecurity practitioners will need to think differently about how technology can be used against the country.

Howard Schmidt, chief security officer at eBay, served as co-chairman of the cybersecurity awareness task force. He outlined a plan to raise awareness about the importance of cybersecurity, including the development of a cybersecurity excellence award programme for state and local governments and a public safety announcement effort that focuses on individual responsibility.

The goal is "to instill a sense of civic duty in the home user community", said Schmidt.

Guy Copeland, special assistant to the CEO of Computer Sciences and co-chairman of the early-warning task force, said his group wants to have a detailed planning document ready by 17 December, although many issues have yet to be tackled. For example, his task force wrestled with questions about what type of information is needed for early warnings and who should get that information.

The challenge of cybersecurity goes far beyond technology, according to Art Coviello, president and CEO of RSA Security and co-chairman of the corporate governance task force. He said the task force will recommend that information security be made a subset of the internal controls that CEOs are required to maintain.

His task force aims to complete a framework for implementing its overall plan by 1 March 2004. The group hopes to distill knowledge about corporate governance into a central repository that CEOs can use; to develop guidelines for implementing the framework at organisations of different sizes and in different industries; and establish a way to measure compliance.

Ed Roback, chief of the Computer Security Division at the National Institute of Standards and Technology and co-chairman of the technical standards task force, said one of the main priorities for his group will be to help systems administrators configure products for optimal security.

However, the question that remains unanswered, said Roback, is whether software suppliers have a responsibility to deliver products configured securely and with install scripts that ensure that default configurations are set for optimal security.

Catherine Allen, CEO of BITS and co-chairman of the task force handling secure software development, said members of her task force are developing a white paper covering the education and certification requirements for software developers that will emphasise the economic benefits of hiring certified developers. The task force will also propose a new set of practices which, Allen said, could reduce defects in the software development process and in products.

Dan Verton writes for IDG News Service


Read more on IT strategy