And while there are skeptics who feel such an alliance has barely gotten off the ground, others say a strong foundation is being built by experts from both worlds.
An exclusive SC Magazine interview with Ridge at Reed Exhibitions' recent Infosecurity Conference in New York, as well as discussions with other government and corporate experts, reveals that some feel the groundwork for such an alliance has been in the works for awhile and is getting further bolstered by recent efforts never before discussed in the press until now.
Whether or not the partnership is bearing fruit fast enough, however, is the primary concern that plagues some experts.
Talk versus action
"The critical mass of intellectual talent…and creativity to deal with cyber protection resides within the private sector," explains Ridge. "One of the most important roles for government…is to coordinate the effort among the private sector entities, tie in the academic community and then pull in the expertise of government." But there are those who say the government has all but failed at this duty.
The Cyber Security Industry Alliance (CSIA), an advocacy group organized by cybersecurity software, hardware and services companies, recently released A Government Call to Action for 2006, alongside a report card of the federal government's work on information security in the U.S. CSIA gave the administration and Congress a grade of D or below on seven of 12 critical recommendations to protect the critical infrastructure set forth in the President's National Strategy to Secure Cyberspace, and a grade of C on four others.
Paul Kurtz, executive director of the CSIA, says the public sector has to move beyond simple talk.
"Over the last few years, we can all point to meetings between the government and the private sector, which have all been well-intentioned meetings. But the action, follow-up and execution has been next to nothing," he says. "What is missing is leadership. I think we have a series of executives in the private sector who are frustrated with working with the Department of Homeland Security because there is really no one on the other side of the table who is taking the lead."
Larry Clinton, deputy executive director of the Internet Security Alliance (ISA) and a member of the National Cyber Security Partnership (NCSP), agrees that industry groups are frustrated "with the extent of information sharing" between government and private companies. "We don't generally get what we think we need, and often don't know specifically what government wants."
Although there is much to be done, "there are some recent signs of progress," he adds.
But until there is a permanent IT security leader in DHS, who has the authority, accountability and budget to set priorities, the nation's cybersecurity will remain adrift, Kurtz contends.
Ridge disagrees, explaining that filling the still vacant position of assistant secretary for cyber security and telecommunications in DHS is far from the cure-all, especially since efforts between government and private entities have been underway since before Amit Yoran, the former head of DHS's National Cyber Security Division (NCSD), left his post in the fall of 2004.
"There are a lot of people in the industry who think visibility lends itself to outcomes. I'm not necessarily convinced of that," Ridge says.
Had the post never been established, the job of integration, coordination and communication still would be done effectively, he adds.
"It has more to do with the kind of support that the office gets from the organization rather than from the title of the person holding the job," explains Ridge.
Some recent unpublicized cybersecurity meetings held to execute on plans between the corporate world and federal government is evidence of this, he adds.
As a follow-up to an off-site retreat, dubbed Wye I, organized by DHS at Maryland's Wye River in January of 2005, the private sector, specifically the NCSP, lined up the aptly called Wye II in Annapolis, Md. late last year.
The meeting, from which working committees, goals, timelines and already some deliverables have been created, focused on information sharing, roles and responsibilities, and incentives, says the NCSP's Clinton.
The NCSP, which is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce, set the Wye II's agenda that will lead to real action, says Clinton.
Many private sector pros attending Wye I "thought there was not enough preparation for the event and that the follow-through could have been better. Many of us in the private sector felt that we had already been to too many orientation meetings wherein a wide range of topics were discussed superficially," he says. "We end with good feelings, but no specific plans for follow-through."
The goal then of Wye II was to build upon previous work, as well as "lay the pathway for future work" that will include specific projects to be undertaken by committees led by participating entities throughout 2006, Clinton adds.
Andy Purdy, interim director of NCSD and formerly the deputy director under Yoran, says this and other meetings make up significant activities that show real progress in long-touted public/private partnership goals.
"Frankly, we think we're on the verge of it becoming a whole lot more obvious to everyone that the importance of private sector engagement and collaboration is something well-recognized and is in the process of being implemented," he says.
Clinton, too, believes private sector involvement is key to securing the nation's infrastructure given that enterprises own and operate most of it. It is because of that fact that corporations should take the lead role to safeguard the nation's backbone, he adds. Organizing this last meeting, which differed from others set by DHS, provided such an opportunity. Companies set the agenda and are actively leading the follow-up, which Purdy says is taking place now.
"Our retreat was more a working meeting than a traditional conference. We featured no PowerPoint presentations, introductory [talks], no press conference — indeed it was held [several] months ago and this is the first comment I am making on it, and I would not have made these comments had our government partner not told you about it," says Clinton. "This is not because we're hiding anything. It's just that too often the accent on some past meetings was putting a good face on things and we wanted to be unconcerned with that. Our goal was to make improvements in the areas we designated that needed work. When we have accomplishments, which we are beginning to see, [then] that will be the time for press."
Adds Howard Schmidt, former special adviser for cyberspace security for the White House, who helped organize Wye II. "The meeting is part of "ongoing work to continue…to keep our fingers on the pulse of what's being done, who's doing it and where we're missing [areas] that we need to pick up on."
Another undertaking by DHS, which falls under the Interim National Infrastructure Protection Plan (NIPP), part of Homeland Security Presidential Directives, calls for the agency to take the lead on cyber guidance for IT and other sectors, says Purdy. To accomplish this, a Sector Coordinating Council, comprised of professionals from private organizations, has been established to coordinate and organize cyber risk assessment and cyber risk mitigation nationwide with DHS.
"We're very excited that the Sector Coordinating Council has been organized. It represents a joint initiative to make it a lot easier for everyone to know what the collective wisdom of the government and private sector is as to the assessment of the risks that we face, and what the most important mitigative measures are that need to be taken," explains Purdy. "The idea of creating that visibility, that transparency, is going to have huge implications on the ability of government…[and the] private sector to set milestones, drive progress and identify gaps."
Though Clinton cites NIPP as an effort by DHS from which the private sector should benefit, especially since the latest version "integrates cyber far more into overall infrastructure protection plans than previous versions," the process by which it was developed was far from ideal.
"DHS still chooses to write up plans then send them out for industry comment with unreasonably short timelines, effectively neutering industry input.
The better approach, as we articulated in the Wye II documents, would be to bring industry in at the beginning of the process," he says. "The method for developing the NIPP is almost directly contrary to what the Wye II process recommended."
Another area where DHS lags is in developing an incentive program to motivate companies, especially smaller ones, to keep up their cybersecurity policies and risk management programs, says Clinton. While the government is correct in avoiding an emphasis on a regulatory approach to improve cybersecurity, "a purely laissez-faire model will not work either."
"So far government has shown almost no interest in putting such [an incentive] program into effect," he adds. "As a result we have neither an effective government approach, nor a fully effective industry approach."
"What counts at the end of the day is a set of priorities and a set of projects that are clear and understandable that you and I can both look at and say, 'OK. This is the objective of that project, that's the amount of money allocated for that project, and this is how we interface with the government,'" says CSIA's Kurtz. "That's not taking place now."
However, critics should remember that DHS has three years under its belt and that its cyber division has only about two and a half, says Marcus Sachs, deputy director in the Computer Science Laboratory at SRI International, as well as director of the Washington, D.C. operations of the U.S. DHS Cyber Security Research & Development Center, which SRI supports. Further, since Yoran's departure, a permanent official to lead cybersecurity issues has yet to be appointed.
Faced with this obstacle and its young age, DHS has made decent progress, he says. Still, the grade of D that CSIA gave to government is probably a fair assessment.
Clinton believes both government and corporations are getting better at working together, "but we are not moving fast enough." Adds Sachs: "There's probably more that could be done. They certainly haven't failed, but there's room for a lot of improvement."
Ridge says he and his former DHS staff of some 180,000 have made great strides in addressing the nation's cybersecurity concerns during its three years of existence. The integration of IT security technology into various departmental operations, the establishment of partnerships with state and local governments as well as private entities, and the creation of a plan to secure the nation's infrastructure all work together to create a solid foundation on which current Secretary Michael Chertoff and subsequent successors can continue to build, Ridge explains.
Still, he admits, there is a plenty of work that Chertoff and subsequent leaders of DHS will need to take on. The biggest challenge: convincing corporate America that infrastructure protection costs — which cover bricks and mortar, personnel and cyber issues — are an investment rather than an expense.
"Part of it is changing some of the corporate culture. Can we afford not to make this modest investment in this software or this application that gives us one more level, one more layer of protection? One of the fundamental approaches we used within the department was trying to layer in security so you don't have a single point of failure," he says. "The operational backbone of this country and most corporations is the internet. How anyone could conclude that trying to protect it on the cheap makes good business sense makes no sense to me."
Making necessary investments in risk management portfolios and continuing to build on a public/private partnership that stresses the reduction of risks where manageable and acceptable are steps DHS and its corporate allies will carry on, Ridge further contends.
"I say unequivocally that the ability of the department to achieve its goal, unlike any other department in the federal government, requires the continued integration and collaboration of the people and capabilities at the federal, state and local levels and within the private sector," he explains. "No other national mission and no other cabinet agency, in my judgment, requires that comprehensive embrace of all these capabilities in order to get the job done."
A NATIONAL STRATEGY: Taking action
Since the release of President Bush's National Strategy to Secure Cyberspace, government agencies, the administration and Congress have made too little headway in following through on the document's 12 critical recommendations to safeguard the critical infrastructure.
Because of these lackluster efforts, CSIA recently released A Government Call to Action for 2006, which cites 13 recommendations government should implement "to help improve the privacy, reliability and integrity of information."
A sampling of these recommendations include:
• Pass a national data breach notification bill
• Promote information security in the private sector
• Direct a federal agency to track costs associated with cyberattacks
< • Secure digital control systems
• Fill new cybersecurity post in the Department of Homeland Security
• Increase research and development funding for cybersecurity effort
For the complete list, please go to: www.csialliance.org.
TOM RIDGE: A look back
During one of the most difficult times in U.S. history, Tom Ridge had what he called "a Newhart experience" just before he was to be sworn in as homeland security adviser to the president.
President Bush, after realizing that Ridge's mother was unable to attend the swearing in ceremony, called her for a greeting. Ridge stood in the Oval Office entertained by the one-sided conversation.
"This is President George Bush. Can I talk to Mrs. Ridge?"
By the third time, Ridge knew his mother must have thought it was a crank caller. Finally, the president's responses changed.
"I know he's a fine boy," he says. "I know he'll do a fine job."
Many industry experts and politicians reportedly agree he did, highlighting real progress in homeland security initiatives — both physical and cyber — under difficult circumstances. Ridge took on his initial federal post just days after the 9/11 attacks, a time of much uncertainty in the U.S.
He became the first secretary of DHS in January 2003. In this role, Ridge was tasked with managing the integration of 22 government agencies under DHS, overseeing 180,000 employees and forging a strategy to protect the U.S. from terrorist threats.
Some criticism did follow his resignation in late 2004, reportedly from politicians who felt he could have done more to safeguard the nation from terrorist threats, especially if given the authority and tools to do so.
He had reportedly cited hopes of getting more involved with family as the main reason for his departure from DHS. As of late, he can be seen making the speaker circuit, discussing how private companies and the government will need to move forward together to tackle physical and cybersecurity threats at home.
Undoubtedly his experience as a two-term Pennsylvania governor from 1995 to 2001 has been indispensable. He was known for his aggressive technology strategy that helped fuel the state's advances in economic development, education, health and the environment.
WORK IN PROGRESS: Dissecting Wye II
Wye II is not a one-shot deal.
To drive this point home, members of the National Cyber Security Partnership (NCSP) who organized it set up committees beforehand in which both private and public sector partners were invited to participate, explains Larry Clinton, deputy executive director of the Internet Security Alliance (ISA) and a member of the NCSP. In addition to DHS officials, representatives from the FBI, DOJ, State, Treasury, GAO, DOD, and NIST, as well as representation from the Hill were present at the working meeting, according to John Papa, DHS's National Cyber Security Division.
Before they even hit the gathering, each group wrote detailed papers about the topics covered at the retreat — information sharing, role and responsibilities and incentives — and shared the papers one week before.
"So the first day, we met to discuss the issue papers and come up with steps to improve. The second day we met in a plenary session and discussed the work group reports," he says.
"We came up with a set of goals, objectives and timelines for achieving them in each issue area. Subsequent to the Wye II event, we created new working groups to work on the projects identified and appointed a chair to lead them. Several of these groups are meeting and we have just published the first product consistent with the suggestions coming out of [the event] — a best practice publication on the use of contracts to improve cybersecurity practices," says Clinton. "We have begun discussing the need for a third meeting, this one focused on the implementation step drawn primarily from Wye II."
Andy Purdy, interim director of the National Cyber Security Division, says working closely with private partners and other government agencies is allowing them to make tremendous progress on coordinating efforts to secure cyberspace. However, attempts to address, for example, the Federal Advisory Committee Act (FACA) or set up the structure behind the National Infrastructure Protection Plan (NIPP), have moved more slowly than all parties would like. Formalizing partnerships and working groups, such as the Sector Coordinating Council for NIPP, will be a "breakthrough" for 2006, he says.
DHS's long-term plans in the cybersecurity area, he adds, have gotten results. The formation of the US-CERT, the support structure for NIPP now in place, and the formation of the National Cyber Response Coordination Group (see sidebar, p. 34) that allows agencies to share information with one another and then disseminate some of this to private sector partners and public citizens exemplify this.
In addition to continuing the strides made at Wye II, Purdy says his division will go on working closely with the IT Information Sharing and Analysis Center (ISAC), which gathers information from eight other industry ISACs. The goal is to incorporate their information sharing mechanisms into the Homeland Security Network (HSN) portal. The US-CERT Secure Portal, where 2,000 government and private groups share threat information, will also get integrated into that network. Such endeavors will enable both government and public sectors to have much easier access to one another's findings.
"We've got to sit down and look at how we can share information. For people to submit information they have to believe two things," adds Purdy. "They need to get value back and know the information they're giving is doing some good….We want to improve information sharing, but we want to do it in a way we can operationalize."
A FRAMEWORK: Coordinating federal response to cyberthreats
As directed by Homeland Security Presidential Directives 5 and 8, the National Cyber Security Division (NCSD) created a Cyber Annex to the National Response Plan (NRP) that provides a framework for responding to cyber incidents of national significance.
The Cyber Annex established the National Cyber Response Coordination Group (NCRCG) as the principal federal government response body. The NCRCG facilitates a collaborative federal government approach to national cyber incident response.
The co-chairs of the NCRCG are NCSD, the Department of Justice and the Department of Defense. An additional 13 federal agencies with statutory responsibility for and/or specific capability toward cybersecurity, including the intelligence community, are members. NCSD/United States Computer Security Readiness Team (US-CERT) serves as the Executive Agent and point of contact for the NCRCG.
The NCRCG is currently reviewing capabilities of federal agencies from a cyber defense perspective to leverage and coordinate the preparation for and response to significant cyber incidents.
–John Papa, DHS's National Cyber Security Division
Outreach and Awareness