Newsmaker: Locking down America's Net defenses

(continued from previous page)

We're certainly encouraging the private sector to use best practices to help secure their information systems. Just as (Homeland Security Secretary Michael) Chertoff has called for a risk management approach from a national perspective, it is critically important that the leaders of organizations use traditional risk management processes but include cyberrisks as part of those processes so that they assess and mitigate the cyberrisks that their organizations face. That mitigation can include reducing vulnerabilities, business continuity and disaster recovery plans as well as implementing the best practices generally.

Do you have any advice for ordinary consumers? Do you think they can help out--are they part of this link to protect the national infrastructure, or do they not matter that much when it comes to that?
Purdy: I think consumers and small businesses and large enterprises and the government are all important when trying to reduce the cyberrisk. We're trying to raise awareness with partners of the responsibility and techniques consumers can use to help secure their systems. Some of the traditional techniques they have heard a lot, but it is important to re-emphasize them. To make sure they have a firewall and it is turned on, they have antivirus protection and it is updated, that they have anti-spyware protection and that's updated, make sure their operating systems are updated, make sure you don't open e-mail from strangers and don't open attachments from anyone unless you're expecting it.

America remains at risk. We remain at risk from both a physical and cyber perspective.

It is critical that they secure themselves to help secure others. It is possible with malicious code that can get implanted on computers that the computers of tens of thousands of home users can be used to launch attacks, unwittingly to the consumer, that can harm other consumers and harm government and the private sector.

Is it straightforward enough for consumers to stay secure online these days?
Purdy: I think it is important for consumers to go to Web sites like StaySafeOnline.org and US-Cert.gov and diligently follow the steps in that advice. It is important, though, for businesses to make it easier for consumers to do that. There are a number of different steps, a number of different technologies, to the extent that there can be more of a one-stop shop, one-stop solution, that is going to help make it easier for consumers who recognize the problem to address the problem. But there are enough tools now that consumers should be able to protect their systems. And they have to recognize that it is not just protecting their systems; it is protecting their personal information that may be on their computer, and it is making sure their computer isn't used to harm someone else.

When it comes to business, legislation that requires compliance or data security breach notification has come up in various states and is making its way through Congress. Some requires business to use some security software. Do you think legislation to require security is the way to go?
Purdy: As a general proposition we would rather avoid a mandatory, regulated solution to cybersecurity challenges. As in all issues of risk mitigation, the Department of Homeland Security sees legislative, regulatory solutions as a last resort. There are some instances, where, for example, in the chemical sector, the department has weighed in in favor of some regulation.

What keeps you up at night?
Purdy: As I mentioned before, we believe that cyberrisk is an important part of the risk we need to mitigate. The greatest potential disruption would be sophisticated, organized, well-financed attackers who wanted to cause large-scale cyberattacks. That kind of an eventuality is one that is on my worse-feared list. I am not saying it is most likely feared, it is most feared.

Do you believe in cyberterrorism?
Purdy: The approach to risk mitigation is very different (now) than before the National Strategy. There was a tendency to look at the threat and the information we have about the intent and capability of those who would harm us. After the national strategy and under Secretary Chertoff's risk management agenda, we're focused on risk, which is a combination of threats, vulnerabilities and the consequences if those vulnerabilities were exploited. Because we don't have specific threat information of terrorist groups wanting to and intending to launch cyberattacks against us, we nonetheless recognize that there is cyberrisk.

We're not going to wait until we have specific threat information and we could not respond quickly enough; we're trying to mitigate the most significant risks now. If and when we get specific threat information, we can use that to help mitigate risk that is attendant to that specific threat.  

More Newsmakers

[Macsaresafer]

Pathetic.

Ok, we all understand that no system is 100% secure. It is
technically possible to break into Fort Knox, so everybody needs
to pay some attention to their computer security.

That said, there's one and only one reason that computer
security is such a big issue these days: Microsoft Windows. It's
the least secure OS on the planet, and this article and the links
on it just dance around MS security problems like everybody else
has them too.

Until Government and large businesses recognize that ALL of the
alternatives to Windows are significantly more secure, we're
going to remain vulnerable.

[n3td3v]

U.S funded cyberattacks, yeah!

You can fool the American people who live within your bubble of propaganda and smoke screens but to everyone else outside U.S its pretty obvious the real intentions of the DHS'S preperations... http://news.com.com/5208-7349-0.html?forumID=1&threadID=13915&messageID=112850&start=-188

[Vetter83]

DHS is FEMA right..???

Since FEMA cant seem to get any part of the N.O. disaster right.. what on earth make these morons think they can handle something as complicated and archaic as net security???

[Iohagh]

Hi Technology and High Tides

Everyone I know has the exact same idea that is is the DHS is FEMA and FEMA failed to handle low tech issues like moving busses from A to B how can they protect virtual doors from A1 to A2000 let alone protect B1 to B3400.

It looks like DHS and FEMA are a nest of cronies who give work to each other. I think that is called political pork barrel or patronage.

To say either agency is consumer or citizen friendly is an oxymoron like "freeway". Simply put competance is competance and incompetance is incompetance.

I think in The Art of War one of the best things you can have is a stupid enemy so you can win before even one man steps onto the theater of conflict. The cyber mafias must be laughing their heads off. That's what I think. Ciao now.