[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] U.S. cybersecurity czar has his marching orders
Der Neue ist jetzt endlich gefunden und darf erzählen, was er vor hat.
Kurze Meldung dazu auch bei Techdirt:
<http://techdirt.com/articles/20070220/105239.shtml>
RB
http://news.com.com/2102-7348_3-6160438.html
U.S. cybersecurity czar has his marching orders
By Joris Evers
http://news.com.com/U.S.+cybersecurity+czar+has+his+marching+orders/2008-7348_3-6160438.html
Story last modified Tue Feb 20 06:27:51 PST 2007
The top U.S. cybersecurity official wants Congress to come up with ways to
promote adoption of security technologies, and he sees a tax break as one
possible incentive.
Greg Garcia was appointed by Homeland Security chief Michael Chertoff in
September, after the position went unfilled for more than a year. He's the
first U.S. cybersecurity czar to hold the title of assistant secretary.
The elevated position is important as it comes with more power; a lack of
stature is part of the reason why his predecessors failed, Garcia says.
His self-described mission is hardly surprising, especially given his
background as an executive at the Information Technology Association of
America, a tech industry group.
For example, Garcia is asking for Congress to think of ways to promote
more purchases of security technology or technology with security already
built in. He's not asking for regulation of the industry. He opposes that,
thus going against some who have advocated backdoors in encryption
technology so law enforcement can read the encrypted files of criminal
suspects.
Garcia is also working to connect private industry security watchdogs with
government ones, continuing the familiar call for cooperation between
public and private groups. He sat down with CNET News.com earlier this month.
Q: You've been on the job almost six months now. You've said that after
the first week you felt like a laptop getting a download from a
supercomputer. What do you feel like now?
Garcia: I feel like a supercomputer. We are really poised for some
successes this year. When I say it is downloading a supercomputer into a
laptop, it was because the cybersecurity and communications mission is so
huge, and, of course, it's learning your way around the bureaucracy. But
in mid-December I briefed the secretary on my objectives and he understood
it, and he gave me the marching orders to go execute.
What we need to be able to do is to articulate how it is that investing in
security is going to accrue more benefits back to the company.
Now it's February and I've got my leadership team in place, and so I'm
feeling much more complete as an organization that we have the
intellectual firepower (and) we have people with years of government
experience who understand how to get things done. So, I'm feeling very
confident.
You're the first person to have this more elevated role and title as
assistant secretary. Is it important that you are an assistant
secretary--does it make your job easier?
Garcia: I noticed it on my first week on the job. I think what everybody
was looking for is someone who is the focal point for cybersecurity and
communications security. Somebody who can actually follow through when the
private sector is asked to commit resources to do something like a
national risk assessment (or) to do something like partnering with the
government on operational capabilities.
A lot of problems in the past existed because there was not someone of
this level managing the mission. It really took place with fits and starts
because there wasn't someone senior enough to have the influence and the
authority, not just within DHS, but across all government agencies. I am
able to say: "This will be," and I can get things done. People recognize
that, and they were eager for it.
You plan on calling on Congress to think of ways to provide incentives so
people will enhance security. What incentives would drive security
investments?
Garcia: All the stakeholders have different business models: financial
services companies, banks, insurance companies, for example. What is
persuasive to them as a business case so they would invest $1 million in
an information technology system with security features and invest in
training?
Globalization does present risks, but ultimately the test is not where
something is made, but how it is made.
I think Congress plays an important role in its oversight capacity. What
laws are in existence that (deter) investment in security, and what laws
ought to be written that will help push the market toward investment that
will strengthen our security? Is it insurance? Get better rates on
insurance. Are there tax incentives that can come from this? Relief from
liability?
There are a lot of different ideas that have been discussed by the private
sector, by Congress. I want a more concerted effort, a series of hearings
that really look at some of the different critical infrastructure sectors.
What we need to be able to do is to articulate how it is that investing in
security is going to accrue more benefits back to the company.
Ultimately, you would hope that Congress in some way would make it more
interesting for businesses, organizations and universities to invest in
security?
Garcia: There may be no need for legislation. What I'm suggesting is that
this conversation needs to take place in a methodical way. Just the
existence of that conversation may get different sectors to think
creatively about how companies can invest and feel good about the
investment knowing that there is a return.
Could it be like the tax breaks on hybrid cars? Could I get a tax break if
I buy a computer system with enhanced security, similar to when I buy a
Prius today?
Garcia: A lot of it is exactly that. But it has to be customer driven--if
you're my customer, and you say, "I'll do business with you if you can
show me that you have a secure system." We're trying to raise awareness to
get everyone thinking proactively about security instead of reacting to
breaches or Internet disruptions because they didn't prepare. A lot of
this is going to be customer driven; there maybe some tweaks to laws that
Congress can do that will drive investment.
You, as (do) many in the industry, predict that all worldwide
communications will be going over a single, Internet Protocol-based pipe.
Is that a scary thought?
Garcia: It can be if we don't address the full spectrum of issues. Having
our information and communications traveling through the same pipe
introduces efficiencies for enterprise management, cost savings,
productivity, a panoply of features. This is the next-generation network,
but with that comes more vulnerabilities. We need to be clearly aware of
what those vulnerabilities are and take steps now as we build out this
little architecture, (and) build in more security as we go.
DHS needs to continue to promote innovation in the private sector. Let the
marketplace determine what the best tool to use is.
At the same time, you see a threat in globalization of the IT industry.
Garcia: Globalization is great and, just (like) convergence of networks,
globalization introduces new efficiencies and economies of scale. However,
there are risks involved with that, because the more you distribute your
design, your manufacturing, your packaging, your shipping, the more there
are opportunities for vulnerabilities to be introduced. A lot of the
malicious hackers are outside of the United States.
Many global companies that I've talked with are acutely aware of that and
have very stringent controls in terms of employee clearance processes,
background checks--that kind of thing.
Still, Apple shipped a Windows virus on iPods assembled overseas.
Garcia: All companies need to be watchful. Globalization does present
risks, but ultimately the test is not where something is made, but how it
is made. There have to be security procedures built into the supply chain,
particularly if you've got a global supply chain.
You talked about US-CERT, your network monitoring center, moving in with
private sector security monitoring efforts. What are the benefits of this?
Garcia: For us to have a truly effective instant response, you need
trusted information sharing between the key stakeholders. If we don't have
that, we're not going to work as well together, so collocating and
bringing them together physically is the way to go.
Hard-drive encryption is becoming more popular. Windows Vista has
BitLocker, and Macs have had FileVault for a while. Where do you stand on
encryption? Is America better off with encryption being available to lots
of people, or should it be restricted?
Garcia: Encryption is one tool among many. DHS needs to continue to
promote innovation in the private sector. Let the marketplace determine
what the best tool to use is.
When it comes to being able to prosecute criminals, should there be a
backdoor to let law enforcement access encrypted files?
Garcia: We don't want to regulate the technological marketplace. We can
fight technology with technology and use the tools at our disposal.
There will be a second major readiness exercise, CyberStorm II, in March
next year. Do you know what the focus will be?
Garcia: We had our first planning session a few weeks ago, so that's still
in the developmental stages. We do want to extend to other industry
sectors, and we'll bring in more state actors and international actors.
Exactly what the scenarios are going to be that we'll be responding
to--that's yet to come.
---------------------------------------------------------------------
To unsubscribe, e-mail: infowar -
de-unsubscribe -!
- infopeace -
de
For additional commands, e-mail: infowar -
de-help -!
- infopeace -
de