DHS Cybersecurity: The Interactive Nightmare

The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003

Schmidt sees a huge challenge in trying to understand the interdependencies that exist where electronic networks interface with the physical world. When the Slammer worm hit in January 2003, for example, people couldn't get cash out of some ATMs that connected to back-end databases compromised by the worm. Schmidt worries that the relationship between the cyber and physical infrastructure isn't well understood. He recalls that when he used to ride the train between Washington and New York, he took notice of a bunch of nondescript brick buildings along the tracks in Philadelphia. When he asked local law enforcement officials what they were doing to secure those buildings, he was told, "We're not doing anything. Nobody wants to break into those; they're just computers."Carrot or Stick?Last December, DHS, along with four business associations (the Information Technology Association of America, Business Software Alliance, TechNet and the U.S. Chamber of Commerce), organized a National Cyber Security Summit in Santa Clara, Calif. Some 350 people from government, academia and industry attended the closed event. Working groups were formed to deal with establishing a cybersecurity early warning system; developing technical standards and common criteria around information security; making management of cybersecurity an integral part of corporate governance; creating better security awareness among home computer users and businesses; and increasing security in software development, installation and patch management.

This sort of private-sector outreach is part of DHS's mission, which emphasizes building a strong public-private partnership to tackle cybersecurity. But all wasn't lovey-dovey in Santa Clara, according to Dan Burton, vice president of government affairs for Entrust, a digital identity security company. DHS's Liscouski delivered a stern message to the attendees. "He basically said we're at war. Industry is not doing enough, and we have no qualms about going to Congress and passing legislation to change [industries'] ways. It was a broadside toward industry at large," Burton says.

"That's not the best way to come across to the [private] sector," says Suzanne Gorman, who chairs the financial services ISAC and attended the summit. But with viruses, worms and other attacks sure to continue—and likely become more destructive—DHS seems to be delivering a not-so-subtle message: Industry secure thyself, or we'll start lighting fires under your feet. The five working groups delivered reports last month, and another summit is planned for September. If DHS determines then that enough progress hasn't been made, businesses may hear unpleasant news from Washington.

Waiting in the wings on Capitol Hill, and casting a keen eye on the task forces' progress, is Rep. Adam Putnam (R-Fla.), the youngest member of Congress. Last fall Putnam, who chairs a House subcommittee on technology and information policy, drafted legislation (the Corporate Information Security Accountability Act of 2003) that calls for companies to disclose annually to the SEC an audit of how they're doing on information security. Compliance with Putnam's legislation could involve performing independent corporate security and risk assessments, and developing risk-mitigation, incident-response and business-continuity plans.