SAN FRANCISCO—The United States government is better suited than ever to defend the nation’s computing and communications networks, but federal watchdogs will need private industry to lend a hand to keep attackers at bay, according to the first-ever federal cyber-security czar.
Addressing a crowded room of attendees at the ongoing RSA Security Conference here on Feb. 8, Greg Garcia, assistant secretary for cyber-security and telecommunications at the U.S. Department of Homeland Security, said that he and his team are already hard at work creating policies that aim to better protect critical infrastructure.
A former executive with the Information Technology Association of America and a staffer on the U.S. House of Representative’s Science Subcommittee on Research, Garcia said he remains “humbled” by DHS Secretary Michael Chertoff’s decision to appoint him to the newly created position—which he took over in September 2006.
The cyber-security leadership role itself had become something of a controversial topic in the media and other public forums as Chertoff took roughly a year to nominate a candidate for the job.
Over the first four months on the job, Garcia said, he has focused primarily on establishing a game plan for his office’s future projects and working to establish inroads with members of the IT and communications industries to encourage private companies’ contribution to those efforts.
While the federal government is aggressively looking for ways to create stronger protections for the nation’s IP backbone—a job whose importance was underscored by this week’s denial-of-service attack on the 13 root servers that support much of that infrastructure—the process will not be able to move forward quickly unless businesses and academic institutions that control the nation’s largest networks are willing to pitch in, he said.
Read more here about the root server attack.
According to the federal government’s latest estimates, the private sector owns and operates roughly 90 percent of the United States’ critical infrastructure.
“This infrastructure must be protected, and the job might not be getting any easier as a single IP-based network will likely soon be supporting everything we need,” Garcia said.
“The proliferation of devices connecting to this network will create a breeding ground for security problems, and the boundaries between national and international networks are being blurred,” he said. “The more the IT industry becomes global, the more opportunities there will be for vulnerabilities to be introduced somewhere along the supply chain.”
The cyber-security chief said that his initial priorities revolve around work to breed cooperation between federal agencies to develop common security policies for defending networks and to help the private sector strengthen national preparedness and incident-response plans. Garcia said his most important role will be to serve as a focal point in the U.S. government to drive national security policies across both the public and private sectors.
Having just passed the four-year anniversary of the president’s initial call for a national strategy to improve security in cyber-space, the watchdog said that the country has made “great strides” in raising the awareness of infrastructure security issues and improving event-response capabilities. However, the continued growth in the volume and sophistication of IT attacks makes it such that there is a lot of work left to be done.
Next Page: Biggest threats.
Garcia specifically highlighted threats such as advanced malware programs, so-called botnets, and various forms of identity fraud, including phishing schemes, as particularly challenging threats to security of the nation’s increasingly centralized IP backbone.
“Our adversaries won’t stop, and their attacks on infrastructure assets are growing in sophistication and frequency,” said Garcia. “The [IT]security sector shares in this mission to serve the country; there are lots of plans in Washington, but this one will stick—we need a framework for industry and the government to assess infrastructure vulnerabilities, evaluate risks and take steps to mitigate problems based on a common risk management model.”
In a nod to the existing impact of IT threats on infrastructure assets, and the growing awareness of his office’s work, Garcia noted that while the U.S. Computer Emergency Readiness Team, or CERT, received only 23 major incident reports from organizations during 2006, it matched that total during the first quarter of 2007 alone. The Homeland Security officer estimated that there are currently more than 3,000 active botnets—or clusters of infected computers used by hackers and other criminals to carry out their work—that control millions of hijacked devices.
Botnet stalkers share their takedown methods. Click here to read more.
Later this year, the DHS will coordinate a second iteration of its Cyber-Storm backbone attack exercise, which will provide a better idea of how much progress has been made in defending computing and telecommunications networks.
If every private organization that controls substantial network assets would agree to more actively police the security of their own infrastructure, there could be “dramatic and measurable” improvement in national efforts to ward off hackers, and even terrorist activity, Garcia submitted.
He also called on his former colleagues in Congress to create financial incentives that would reward organizations that commit to making such improvements.
“Security is a network of defenders. Join the groups that have already stepped up; they are integral partners to [Homeland Security]. We’re all vulnerable and need to partner,” said the cyber-security chief. “We’re all in this together, and there is another network out there that is technologically sophisticated and well-organized and out to get your money and disrupt operations. Together we can strengthen defenses, reduce vulnerabilities and help maintain our way of life.”