Drafting VARs Could Secure U.S. Digital InfrastructureBy Charlene O'Hanlon | Posted 2008-12-08 Email Print
The U.S. Center for Cybersecurity says the country's digital infrastructure remains vulnerable to attack by terrorists, hostile nations and rogue corporations. Enlisting the help of IT solution providers could repair many of the weaknesses in the private-sector side of the infrastructure.
The sorry state of cyber-security in the United States has made the nation vulnerable to attacks on its entire infrastructure, from the Internet to the national power grid, according to a Washington-based think tank. Now it’s up to solution providers to help accomplish what the federal government has not been able to–lock down our cyber-borders.
A report issued this week by the U.S. Center for Cybersecurity noted that the nation is poised for an attack on its infrastructure largely because of poor oversight and lack of policy on and regulation of network security on a national scale.
But through a collaborative effort with both public and private companies—and their solution provider partners—the federal government has the ability to stem the bleeding of sensitive information to hackers, identity thieves, unfriendly countries and corporate spies, the commission says.
"America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009," the report states. "In the new global competition, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspaces puts us at a disadvantage."
In addition to recommending that the Obama administration create a Center for Cybersecurity Operations and appoint a national cyber adviser, the report recommends a comprehensive cyber-security policy for all government agencies and a new focus on collaboration with the private sector to further security policies.
"We [as a country] need to get away from air of plausible deniability," says Tom Kellerman, vice president of security awareness at Core Security Technologies and a member of the commission. "The real leadership in corporations is not aware of vast operational and technical risks associated with the use of technology and the overuse to manage technology risk. We are too technologically dependent."
Solution providers are front and center in this brave new world of public-private cyber-security policymaking, from identifying the leaks to making recommendations that won’t impinge on individual freedoms. Kellerman recommends four steps solution providers can take with their customers to keep their systems safe from attack and help lock down the nation’s infrastructure:
- Allow customer contracts to be rewritten to include security. "Move
away from SLAs," he says. "The best thing solution providers can do is
to make security the highest priority in customer contracts."
- Demonstrate that you’re penetration-testing your systems and those
systems with which you are interacting, and ask your customers to do so
as well. "I hate to say it, but it is the same reason why you get a
blood test when you get married," Kellerman says.
- Improve authentication systems. "Passwords have to go away," he
says. "It is such primitive technology, and we need to get past that."
- Demonstrate you have a real incidence-response capability with a forensics component. "It’s not enough to say you have it; solution providers have to prove it," he says. "Good security is as much about determining the source of the breach and where that information is going as it is finding the breach."
Solution providers have an opportunity to help make policy on national cyber-security based on the dealings with their customers. "This isn’t a technology issue anymore," Kellerman says. "The fundamental question is, how do you combine policy and procedure to solve this crisis?
"It’s not as much about mandating draconian standards as it is proving that you’re meeting the standards," Kellerman adds. Because of that, "I believe it’s coming that both public and private companies will have to meet a minimum standard for security."