Newsmaker: U.S. cybersecurity czar has his marching orders

(continued from previous page)

Could it be like the tax breaks on hybrid cars? Could I get a tax break if I buy a computer system with enhanced security, similar to when I buy a Prius today?
Garcia: A lot of it is exactly that. But it has to be customer driven--if you're my customer, and you say, "I'll do business with you if you can show me that you have a secure system." We're trying to raise awareness to get everyone thinking proactively about security instead of reacting to breaches or Internet disruptions because they didn't prepare. A lot of this is going to be customer driven; there maybe some tweaks to laws that Congress can do that will drive investment.

You, as (do) many in the industry, predict that all worldwide communications will be going over a single, Internet Protocol-based pipe. Is that a scary thought?
Garcia: It can be if we don't address the full spectrum of issues. Having our information and communications traveling through the same pipe introduces efficiencies for enterprise management, cost savings, productivity, a panoply of features. This is the next-generation network, but with that comes more vulnerabilities. We need to be clearly aware of what those vulnerabilities are and take steps now as we build out this little architecture, (and) build in more security as we go.

DHS needs to continue to promote innovation in the private sector. Let the marketplace determine what the best tool to use is.

At the same time, you see a threat in globalization of the IT industry.
Garcia: Globalization is great and, just (like) convergence of networks, globalization introduces new efficiencies and economies of scale. However, there are risks involved with that, because the more you distribute your design, your manufacturing, your packaging, your shipping, the more there are opportunities for vulnerabilities to be introduced. A lot of the malicious hackers are outside of the United States.

Many global companies that I've talked with are acutely aware of that and have very stringent controls in terms of employee clearance processes, background checks--that kind of thing.

Still, Apple shipped a Windows virus on iPods assembled overseas.
Garcia: All companies need to be watchful. Globalization does present risks, but ultimately the test is not where something is made, but how it is made. There have to be security procedures built into the supply chain, particularly if you've got a global supply chain.

You talked about US-CERT, your network monitoring center, moving in with private sector security monitoring efforts. What are the benefits of this?
Garcia: For us to have a truly effective instant response, you need trusted information sharing between the key stakeholders. If we don't have that, we're not going to work as well together, so collocating and bringing them together physically is the way to go.

Hard-drive encryption is becoming more popular. Windows Vista has BitLocker, and Macs have had FileVault for a while. Where do you stand on encryption? Is America better off with encryption being available to lots of people, or should it be restricted?
Garcia: Encryption is one tool among many. DHS needs to continue to promote innovation in the private sector. Let the marketplace determine what the best tool to use is.

When it comes to being able to prosecute criminals, should there be a backdoor to let law enforcement access encrypted files?
Garcia: We don't want to regulate the technological marketplace. We can fight technology with technology and use the tools at our disposal.

There will be a second major readiness exercise, CyberStorm II, in March next year. Do you know what the focus will be?
Garcia: We had our first planning session a few weeks ago, so that's still in the developmental stages. We do want to extend to other industry sectors, and we'll bring in more state actors and international actors. Exactly what the scenarios are going to be that we'll be responding to--that's yet to come.  

More Newsmakers

[MSSlayer]

Security tools are worthless..

...unless every person in the organization is properly trained and doesn't do idiotic things like take home sensitive data or give out their authentication information.

The most secure cryptography is worthless under these circumstances. The most advanced network defenses completely fail when you have stupid people.

Instead of hiring a hack to be in charge of this important area, why didn't they hire a someone with real technical background who is well versed in computer security?

There is a saying is computer security circles, security features != secure features.