Is the United States government doing enough to secure the country against cyber-attacks? Not according to the Cyber-Security Industry Alliance (CSIA).
The security trade organization issued a report yesterday calling on the federal government to assert greater leadership in the protection of the country’s information infrastructure in 2006.
The CSIA’s “National Agenda for Information Security in 2006” identifies 13 specific actions required to improve information security for consumers, industry and governments globally.
As part of the Agenda, CSIA also provides a report of the government’s limited progress in information security in 2005 and releases a new “Digital Confidence Index” that reflects the public’s lack of confidence in our nation’s critical infrastructure.
“Over the past year, the government has taken limited steps to improve the state of information security in our country, such as increased Congressional leadership on issues of spyware and identify theft, and the creation of a new Assistant Secretary for Cyber-Security and Telecommunications position within the Department of Homeland Security,” said Paul Kurtz, executive director of CSIA.
Simply Not Enough
Kurtz said those “limited steps” are not enough. Currently, he added, there is little strategic direction or leadership from the executive branch in the area of information security. Ensuring the resilience and integrity of our information infrastructure and protecting the privacy of our citizens should be higher on the priority list for our government, Kurtz charged.
One year ago, CSIA said it urged the Bush Administration and Congress to ensure follow-through on the President’s National Strategy to Secure Cyberspace by acting on 12 critical recommendations to protect the nation against cyber-threats.
The recommendations were made in three key areas: raising the profile of cyber-security; encouraging information sharing, threat analysis and contingency; and improving education, research and development.
Grading the Government
CSIA’s report graded the progress of federal agencies on their follow-through on those 12 recommendations. Overall, the Administration and Congress scored a grade of D or below on seven of the 12 recommendations and earned a grade of C on four others.
The only bright spot for the government in CSIA’s report was a commendation for the Senate Foreign Relations Committee recommendation that the Council of Europe’s Convention on Cyber-Crime be ratified by the U.S. Senate.
In response to the CSIA report, Representative Bennie G. Thompson (D- MS), Ranking Member of the House Committee on Homeland Security, expressed concern about what he called the federal government’s continued failure to meet its cyber-security responsibilities.
“Congress, the private sector, academia and the public all understand that America is dependent on interconnected networks — whether in our homes, our workplaces, or in our pipelines, electric grids and dams,” Thompson said. “It is about time that the Department and this Administration understood this and took action.”
Putting It Into Perspective
Richard Smith, an independent privacy and security consultant, told TechNewsWorld that there are two ways to look at the CSIA report: how vulnerable the U.S. is to attacks, and how many attacks are actually threatening the U.S. infrastructure.
“We are extremely vulnerable,” Smith said. “There are a lot of problems with IT systems as a general rule, particularly when we look at desktop computers. We use them do to our work and they help run the economy, but they are terrible when it comes to security.”
On the flip side, Smith said most of the attacks are from “bad guys” hoping to cash in on vulnerabilities rather than destroy an IT infrastructure. He views cyber-security as a law enforcement problem just as other issues are law enforcement problems.
“It’s sort of a double-sided coin,” Smith concluded. “The danger here is if somebody ratchets it up, given the poor security around computer systems and networks, it could cause a lot of grief. But there’s not a lot of evidence that is happening. I wouldn’t call it a crisis.”