By William Jackson
The nation faces a real threat to its critical infrastructure while
the Homeland Security Department still struggles to develop the
systems needed to assess and respond to those risks, the department's
head of cybersecurity said today.
"We believe there is a significant cyber-risk in this country," Andy
Purdy, acting director of the National Cyber Security Division, said
at the 2006 International Conference on Network Security, being held
in Reston, Va. "We can take no solace from the fact that we haven't
seen the attacks yet."
As the lead agency for IT security, DHS is the point of contact for
collaboration with the IT industry in the development of a risk
management plan as part of the national infrastructure protection
plan. But critics have complained that cybersecurity has been too low
a priority within the department. A newly created assistant secretary
position would help to address this issue, but that office has yet to
"Homeland Security is working with the White House on coming up with a
candidate," Purdy said. He said an announcement is expected "in the
The two great challenges for DHS now in IT security are developing a
national cyber-response system to provide risk management for IT
threats, and developing a process for sharing information about
threats and vulnerabilities among agencies and with the private
The problem right now is not a lack of information, but a lack of
organization, Purdy said. "There are so many players, so many
different people doing different things," he said.
Lack of communication has long been a problem in IT security.
Information about threats and vulnerabilities often is seen as
proprietary and sensitive, and owners within and outside of government
tend to hold on to the information as long as possible.
Some elements of a system for sharing information already are in
place, such as a host of industry-specific information sharing and
analysis centers which communicate with lead government agencies for
their sectors. But many in the private sector still are leery about
sharing information with the government and there is no system to
coordinate information sharing between industry sectors and various
federal agencies. Also lacking is an engine for collating this data so
that it can become useful intelligence.
Some in Purdy's audience were skeptical of Homeland Security's ability
to create a risk analysis system without comprehensive reporting
requirements used by other departments to produce useful statistics.
Purdy acknowledged this difficulty and said DHS still is waiting on a
comprehensive data collection system.
InfoSec News v2.0 - Coming Soon!