By William Jackson
The government needs to establish clear lines of authority and clarify
responsibility for an effective national information assurance policy,
former presidential adviser Paul Kurtz said Thursday.
"We have a growing body of law and regulation bearing on information
security," Kurtz said at the GovSec conference in Washington. But, "we
are not ready for a major disruption of the information infrastructure
today, and we have a long way to go to get there."
Kurtz, executive director of the Cyber Security Industry Alliance,
proposed a two-tiered framework for cybersecurity, in which critical
functionality could be identified for government attention, while less
pressing issues are passed to the private sector.
"The government doesn't have to solve everyone's problem here," Kurtz
said. Market forces and self-interest could be leveraged to handle
problems of public awareness, education and coordinating information.
Kurtz and Tom Leighton, chief scientist for the content delivery
network operator Akamai Technologies, described cyberspace as a tough
neighborhood that is getting tougher.
"We have to anticipate that terrorist groups will get involved in
disrupting cyberinfrastructure," along with nation states, Kurtz said.
We also must anticipate that attacks will succeed, and build
infrastructure to survive and respond to them, they said.
"We are under constant attack," Leighton said of Akamai's network. "At
any given time, we have a lot of servers taken down. And it doesn't
matter, because we direct traffic elsewhere."
Establishing an effective policy requires leadership. Kurtz called the
still-vacant position of assistant secretary for cybersecurity in the
Homeland Security Department critical to establishing a viable policy.
"Unfortunately, we're almost at a one-year anniversary, and we still
don't have an assistant secretary in place," he said.
Kurtz referred to the government's response to Hurricane Katrina, in
which primary responsibility for the efforts eventually devolved to
the Defense Department. Knowing who will be needed to respond to a
cyberdisaster is a critical part of establishing a policy.
"If we come under attack, it's going to be the geeks who restore the
networks," he said. Identifying and organizing the personnel and
resources needed for such a response should be done in advance.
InfoSec News v2.0 - Coming Soon!