U.S. Cyber Security Division director Amit Yoran, warmly embraced by the IT security community as head of the nation’s cyber security when appointed in September, warned this week that more sophisticated and potentially disruptive cyber attacks could be looming against a system that remains vulnerable.
Speaking with U.S. Department of Homeland Security Secretary Tom Ridge at a summit this week, Yoran said that even against previous attacks that have been less sophisticated, the government failed to protect its own systems adequately.
In addition, Ridge referred to the troubling trend in computer and network security of increasing dependence on an electronic infrastructure that drives many aspects of daily life.
“These networks and the infrastructures they support present an attractive target for terrorists,” Ridge said. “They know, as we do, that a few lines of code could ultimately wreak as much havoc as a handful of bombs.”
Federal cyber defense critic Ron Bailey — founder and chief executive of Vanguard Integrity Professionals, an industry group intended to make up for the government’s shortcomings on cyber security — told TechNewsWorld that the matter is often overlooked because it is difficult to recognize.
“It’s very easy to understand a physical threat, but the cyber threat is a silent killer,” Bailey said. “It’s very difficult for people to relate to the threat, but it is real.”
At the Cyber Security Summit this week, IT professionals and executives, academics and others met to deal with awareness, early warning systems, corporate governance, technical standards and secure software development.
Work groups came up with a series of initiatives and pledged to come forward with “initial deliverables” by March 1, 2004.
Entrust chairman and CEO Bill Conner, who cochaired the corporate governance task force at the summit, said executive management must be guided by security governance since information security is not merely a technology issue.
“From financial services and energy to telecommunications and health care — our modern platforms of commerce and physical security depend on a robust and safe network environment,” Conner said in a statement. “This environment does not presently exist, but today’s meetings served as a positive precursor to what can and must be achieved to make it a reality.”
Conner said that although the issues of information security are complex, the technological tools are “readily available and proven.”
“The next step is for private industry and executive management to integrate cyber security into their core governance practices,” he said.
Awareness Not Action
Echoing Ridge’s concerns about terrorists taking aim at cyberspace, CyberGuard federal division vice president Matt Mosher told TechNewsWorld that the targets of opportunity in the United States are incredibly large, adding that a good deal of infrastructure is controlled by private industry.
“Is cyber security better than it was three years ago? I would say yes,” Mosher said. “I’m sure it isn’t good enough. It only takes one [failure] for there to be a significant event. There’s just very little margin for error.”
Mosher said that although awareness is increasing and companies such as Microsoft are putting more and more priority and resources on security, the only real way to drive an industry in any direction is through the bottom line.
“We’re in a market economy, and that’s what drives it,” he said. “I think [companies] are all talking about [cyber security], but at the end of the day, these are public companies motivated by money.”
There’s greater awareness, he added. “Are they fundamentally going to change their development efforts and make security a priority? I don’t think so.”