"Irrelevant" DHS must take action

Share this article:

As it continues to offer little IT security guidance and flails in its leadership role on cyber security issues, the Department of Homeland Security is "almost becoming irrelevant."

There is the impression now among corporate IT security leaders that DHS specializes in holding meetings on IT security-related matters, but falls short on action, said Richard Cressey, president of Good Harbor Consulting and former chief of staff to the president's Critical Infrastructure Protection Board at the White House, during an interview after his opening keynote address at the Infosec World Conference & Expo 2005 in Florida.

During his speech, he noted that the government's biggest problem is understanding just what to do and how to do. Leadership upheaval in DHS and its Cyber Security division is only compounding this indecision. Because government decision-makers decided that IT security cannot overshadow physical security needs, a tension between industry and government has arisen. With little follow-up on the National Strategy to Secure Cyber Space, which is supposed to be a "living document," relations between the private and public sectors to improve critical infrastructure protections are floundering, he noted after the speech.

"There has been a leadership vacuum at the department that is going to continue for at leastthe next several months," said Cressey during the interview.

However, with the new Secretary of DHS Michael Chertoff, who was sworn in on February 15, stating during his first month in office that government and private industry must take a risk management approach, Cressey said he is optimistic that positive change will occur. Because Chertoff has been focusing on the need to understand vulnerabilities and their consequences,as well as the requirement to prioritize assetts and reduce risk, Cressey said cyber security issues may just start to get the weight they deserve.

Such focus is a requirement, given the "national security problem" of vulnerabilities. With every 1,000 lines of code having at least 10 vulnerabilities according to some data, companies are strapped with a "target-rich environment," Cressey explained. To help with this, government should quickly ensure the rapid dissemination of vulnerabilitity and threat information, among other intitiatives.

In the long-term, Cressey suggested that the government begin developing a workplan, metrics, milestones and accountability procedures around a list of top five cyber security priorities. Most importantly, officials should reignite public/private relationships by developing a national recovery/reconstitution plan that stresses the importance of getting interconnected critical infrastructure up and running quickly in the event of a massive failure. Additionally, they should approach ISPs to do a better job at filtering at the core and take improved steps to stop DDoS attacks. An opprotunity also lies in reaching the corporate world through talks about identity theft and phishing attacks -- cyber security issues that continue to be growing issues of concern for companies and private citizen alike, he said.

As reported in SC Magazine here DHS officials told delegates at the RSA Conference in February that progress was being made in cybersecurity but help was needed from industry.

www.dhs.gov

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.