March 18, 2004 3:06 PM PST
Security groups call for education, alert systems
- Related Stories
Government, industry debate cybersecurity remediesMarch 17, 2004
Cybersecurity task forces push for resultsDecember 4, 2003
Bush unveils final cybersecurity planFebruary 14, 2003
"Today's announcement is the equivalent of national leaders telling every driver to wear football pads and helmets and tie themselves to the seat backs, because the automobile manufacturers won't build in seat belts and air bags and better bumpers, and because there are a lot of dangerous drivers on the road."
"We consider these recommendations to be a good starting point," said Guy Copeland, vice president at technology contractor Computer Sciences. "This is a dedicated group of volunteers presenting some hard thoughts on how to secure our information infrastructure."
The task force recommendations come almost four months after industry and government officials met to discuss how a partnership could improve the nation's overall cybersecurity and more than a year after the Bush administration released the final draft of the National Strategy to Secure Cyberspace.
Some security experts criticized the proposals as a way for companies to dodge any responsibility for the morass of security issues that plague firms and people on the Internet, a charge similar to that leveled against the National Strategy to Secure Cyberspace, which recommends that each Internet participant learn to secure his or her portion of the online domain.
"The average user will never become the kind of expert needed to protect himself or herself against the attacks being launched today," Alan Paller, director of research for the SANS Institute, said in a statement. "Today's announcement is the equivalent of national leaders telling every driver to wear football pads and helmets and tie themselves to the seat backs, because the automobile manufacturers won't build in seat belts and air bags and better bumpers and because there are a lot of dangerous drivers on the road."
"We want to have everything a person needs to protect their system, such as a personal firewall. Something my 87-year-old dad can deal with and not be confused about."
The Awareness and Outreach Task Force
Federal agencies are graded on their information security under the Federal Information Security Management Act, which establishes detailed security regulations for agencies to follow. Private companies have no such obligations.
The Awareness and Outreach Task Force was initially charged with finding ways of increasing awareness of online threats and good security practices among home users and small businesses. In order to better support the National
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Much of the working group's focus is on strengthening the weakest link in Internet security--the users--by educating and providing simpler security tools.
"Computers are designed to run code, and as long as there are bad guys out there, end users will have to learn to protect themselves," Schmidt said. In his current role as the chief security officer for online auctioneer eBay, Schmidt frequently has to deal with the security costs of having a large number of users who aren't aware of online security issues.
The working group's recommendations are split between education and more proactive initiatives.
For small businesses, the report proposes that a security guidebook be developed to teach the best practices in security but also suggests that industry should encourage the creation of incentives, such as insurance, that could reward businesses that improve their security.
A national public service campaign could help educate consumers on cybersecurity, while a security tool kit would help the tech-illiterate protect themselves from Internet attack, Schmidt said.
"We want to have everything a person needs to protect their system, such as a personal firewall," he said. "Something my 87-year-old dad can deal with and not be confused about."
Large companies haven't escaped the attention of the working group, either. The group suggests that September 2004 be designated Cyber Security Month, that a direct mail campaign target the top executives at the largest 10,000 companies in the United States with security messages and that regional homeland security forums be held in partnership with the Department of Homeland Security.
The task force also recommends that the government start educating American citizens about cybersecurity from a young age, advocating teaching kids about appropriate cybersecurity and online behavior. In addition, the report proposes that the Homeland Security Department clone its forums for university presidents.
The second working group, the Cyber Security Early Warning Task Force, also released its initial recommendations Thursday.
The group proposed that a public-private network be created to give early warning to information managers and network administrators of possible attacks. The so-called Early Warning Contact Network, or EWAN, would share information on incidents and vulnerabilities between vetted professionals.
The network would distribute information in four ways, through daily status conference calls, online alerts, analysis of threats and a means to coordinate calls between managers responsible for networks and infrastructure.
The group aims to have an initial working version of the network in October, with the network going into regular use by the end of 2004.
The task force also proposed the creation of a National Crisis Communications Center, modeled on a concept currently used in the telecommunications sector. Each major player in the Internet world would have a representative in the NCCC that would facilitate communications during a cyberattack or other crisis.
The NCCC would conduct training exercises, offer advice on current national cybersecurity issues and share intelligence on current threats. The task force recommended that Congress consider the concept over the next two years and pass legislation to create the center in 2005.
A third report, on technical standards, will be released March 31, and two final reports, on improving software development practices and on ways of making boardrooms more responsible for information security, will arrive April 6.