'Cybersecurity commission' to proffer advice to next president

These 'cybersecurity commission' members spoke at Black Hat on Wednesday evening, from left: Tom Kellermann of Core Security Technologies; Marcus Sachs, Verizon's director of national security policy; Jerry Dixon, director of analysis at Team Cymru; Peter Allor, an IBM security program manager.

(Credit: Declan McCullagh/CNET News)

LAS VEGAS--Transitions between presidential administrations are typically influence-peddling, power-consolidating, appointee-vetting exercises run by Washington insiders. Perhaps that's why the quintessential Washington think tank, the Center for Strategic and International Studies, is trying to insert itself into the process.

The private organization, which has close ties to the U.S. military and counts Henry Kissinger on its payroll, has gathered about 35 people and awarded them the official-sounding title of "Commission on Cyber Security for the 44th Presidency." Adding to the formality are some closed-to-the-public meetings and ex-officio members from federal agencies, congressional offices, and the nebulous "intelligence community."

The group's mandate is unusually broad: developing a "forward-looking framework for organizing and prioritizing government efforts to secure cyberspace." But four of its members indicated on Wednesday that the commission is focused on compiling no more than five recommendations and will not be proposing legislation or suggesting dramatic changes.

Marcus Sachs, Verizon's director of national security policy, a former government official, and a commission member, said that stealthy cyberintrusions were a real threat to the security of today's networks.

"In the transition between the Clinton and Bush presidencies in late 2000, there was no group doing what we're doing now...trying to tee up cybersecurity as an agenda item," Sachs said during a panel discussion at the Black Hat security conference here.

"What we're really trying to figure out is how to collaborate" between government and industry, said Peter Allor, an IBM security program manager and a commission member. "Information sharing is broken. It's a one-way send."

Of course, calling for better information-sharing is like promising to clean up Washington: everyone says it's a good idea, but nothing ever seems to happen. (CNET News, for example, published an interview in 2002 in which the head of the Partnership for Critical Infrastructure Security said better "information sharing" was a "strategic area." In a 2004 follow-up, a senator said "we need a complete system of information sharing" between the private sector and the government.)

One panelist said that the FBI's "InfraGard" information-sharing relationships with the private sector shouldn't change.

"We're not recommending to do away with InfraGard," said Jerry Dixon, director of analysis at the Team Cymru research firm, a former Homeland Security official, and a commission member. "That's something that the executive departments have set up... We're certainly not recommending to do away with those different partnerships because they belong to the different departments."

The CSIS panel is composed mostly of industry, government, and ex-government types. Among the other members: Mary Ann Davidson, Oracle's chief security officer; Doug Maughan, a Homeland Security program manager; Will Pelgrin of New York's cybersecurity office; Phil Reitinger, a Microsoft security strategist; and Amit Yoran, chairman of NetWitness and a former Homeland Security official.

The commission plans to publish the final report in "early November" and, perhaps, an earlier draft for public comment.

"It has to be elevated to the highest echelons of this government and internationally," Tom Kellermann, a vice president at Core Security Technologies, a former World Bank security official, and a commission member, said, referring to cybersecurity topics. "We're losing the war. It's essential. That's the key theme of the recommendations that will come out."

The difficulty is making sure a President McCain or President Obama pays attention to them. The ACLU, for example, presented the incoming President Clinton with a briefing book called "Restoring Civil Liberties: A Blueprint for Action." As it turned out, Clinton embraced the notorious Clipper chip, mandatory wiretapping rules, and attempts to ban encryption products without backdoors for government surveillance.

Then again, even if the CSIS commission finds its recommendations ignored, the identities of its members may not be. In Washington, joining commissions like this one serves a convenient secondary purpose: it just happens to circulate your biography to the people who are doing the hiring for the new president.

Click here for full coverage of Black Hat 2008.

[jamalystic]

I'm really very excited about this commission and hope every effort will be put in place to realize its objectives. I think it 's only with such fovus can the fight agaisnt cyber crimes be successful. As the internet becomes more and more a part of us. it's a a necessity that actions be taking to ensure that the internet does not become a haven for thieves: Unprepared to Fight Worldwide Cyber Crime(http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027&F_src=flftwo)

[eyemroot]

@jamalystic

Quit trolling the posts to promote that website, the writing is short-sighted and it is bad form to use someone else's comments to promote your agenda.

[RobertinOhio]

@jamalystic

This is just another PAC organization looking for power, influence, and legislation from the government. Black Hat has become nothing but a bunch of alleged security professionals showing up to peddle their warez. Basically another E3 or Macworld. Real "hackers" stopped showing up years ago.

Organizations should pursue their own security policy and practices to cover their own interests and protection of their customers.

PCI is a good example. The industry went out and set up a framework to circumvent the government from interfering with bad legislation like what SOX did. The average person STILL thinks SOX protects pensions and it don't...it just protects shareholders.

The last thing the IT industry needs is another pack of jokers trying to peddle around Washington.

On a side note, Infragard is another example of a good idea gone bad. I used to go to the meetings and such but when I discovered they want to hear everything you have to say but get nothing in return, red flags went up all over the place. It is funny how managers who are infragard members think they are part of real IT security when instead they are nothing but hapless informants on their own companies to the government.

Black Hat and Infragard are becoming obvious jokes and nothing but conferences so companies can peddle their warez.

[fdunn3]

How about starting with encrypting TSA laptops like the one that went missing (no details on how) with VIP "fast-pass" passenger data on it.

The Government should clean it's own house before they think they have InfoSec credentials.