On Communications Sector Cyber Security

June 26, 2009 by ADMIN
Share |

From The Internet Security Alliance

What are the greatest problems your company (or industry sector if you prefer) perceives regarding cyber security?

Some companies are ahead of the curve. We have invested in technology and personnel and have established governance structures that look at cyber security from the bottom up in each business unit and from the top down through corporate policy and compliance efforts.

We continually audit and assess how we are doing. We also aggressively reach out and partner with government; both when we serve them as clients and on a public policy level. However, too many of the companies we provide service to don’t realize that cyber security is a requirement in systems we deploy.

Although there is a significant risk present today, they don’t look at cyber security as a necessary element of investment, it’s an after thought.

Even some organizations that do realize there is a threat, don’t realize the magnitude. We live in a hyper connected world where every “node” affects every other one, and the weak links in the chain endanger everyone.

The people who do get it are burdened with the costs for those who don’t. Hence, we need a program that will reach everyone. People often don’t get that they may have secured a portion of the network but they are still vulnerable.

The lack of awareness and the need to be constantly thinking about this is a major problem. This includes all levels of government from the highest to the lowest levels.

We worry if we fully understand the needs of our clients especially our government agency clients. Even companies who are on top of the problem have concerns. We worry about the IT supply chain. We worry about the off-shore security of both employees and equipment. We worry if we are staying ahead of the emerging threats.

Are we fully appreciating the link between physical and cyber security?

From an “all hazards” approach, we worry about the overall architecture of the system. If there were a major incident in one facility, will we and our customers have what they need to survive a major hit?

This is especially worrisome in the government enterprise sector. We worry about SCADA attacks because we are dependent on the power supply to provide the services we are responsible for in an attack.

And, we worry about what it is that we do not yet know.

What are the biggest obstacles you perceive for your company (or industry sector) in addressing the major problems related to cyber security?

For companies who have already made cyber security a corporate priority, we need to be sure that the policies and programs in place are being implemented both internally and externally with our partners.

The terms and conditions on the network contracts need to be structured to make sure we have the right agents in place and specify the roles and responsibilities to make sure we have adequate back up systems.

Since we are concerned about the insider threat, we need to be sure the background checks are fully informed. To the degree we are working with our government clients, does government have the data necessary to make sure our systems are properly secured and are they sharing that data appropriately?

The supply chain issues also create obstacles.

We need to test and screen equipment we get from our vendors. This means we need to have a secure and trusted relationship with these vendors and that they are following through properly.

There also needs to be appropriate training especially for people involved in these issues overseas.

Do we have the right policy regarding the use of our equipment overseas? Have we addressed the cultural issues so that we understand security the same way our overseas partners understand it? Are we all on the same page?

For organizations that have not yet made cyber security a true priority there are other barriers, often primarily economic. There is a tremendous commoditization taking place in the industry.

This means more and more features are included in more and more products so there is very little margin to cover the cost of security in the product.

This dwindling economic margin means that research and development cannot be performed to assure that there is an adequate degree of security in the product. Organizations need to develop a greater awareness that the threat is real, and they may have to pay to address it.

This is very difficult t in a commoditized market wherein users are not placing a high value on security.

The market reality is that we want more and more features. If the customers don’t think it’s important for a feature to be secure, or are uninterested in paying for that security, we have a problem. When the consumer doesn’t demand security and is unwilling to pay for it that makes providing security un-economic.

As a result, they don’t have the demand needed for a trickle down economics. There just are not adequate economic incentives there for security. There is a phenomenal lack of incentive for cyber security spending.

What can the US Government do to best assist you in improving your cyber security in the short term?

Again, starting with the organizations that already have established a priority on cyber security, we need better intelligence and information sharing for these organizations.

We need to make sure the right channels are in place and approved by the lawyers. Attempting to address the information sharing issues between industry and government without involving the lawyers reflects a misunderstanding of some of our core problems and will lead to the same frustration we have had addressing this issue for years.

We need to be sure that the information being shared by our government partners can be put into action.

We need to get the road blocks out of the way with respect to the timeliness of the information. With the roll out of the cyber initiative, we need to be able to move forward quickly to implement good ideas and encourage voluntary steps instead of federal mandates, which due to the inherent nature of the Internet will not work.

Government needs to work with industry on establishing standards and practices that appreciate the evolving nature of multi-media communication technologies such as VoIP to help assure that this and other modern platforms are properly secured. For organizations that are focused on the threat, and even more urgently for those who have not yet come to the realization, there needs to be serious education across all sectors about the threat.

Educational efforts must be far, far more aggressive than what has existed so far.

There was a lot done after 911 to educate about terrorism in general. We need a similar education initiative with respect to cyber security. Government needs to embrace the idea that cyber security is a business issue not a technical issue. Again, this needs to be done much more systematically, aggressively and with more sophistication than previous programs.

The government needs to examine how it can use its market powers, not its regulatory powers to motivate an ongoing and sustainable system of cyber security. There are wide ranges of ways government can begin to do this.

Among some of the possible examples worthy of consideration:

  • Security can be better tied into government procurement with higher levels of cyber security necessary to get government contracts.
  • The government should work with the finance and insurance industry to incorporate cyber security risk management as an underwriting principle. Adopting a risk management framework is the only way we will achieve sustainable cyber security among the organizations that own and operate the vast majority of what we call the Internet.
  • The Small Business Administration (SBA) generates a lot of loans to new and expanding businesses and this process could be used to encourage better cyber security practices.
  • ISA has testified before Congress on many occasions specifying other mechanisms for providing market incentives (see detailed appendix).

What can the US Government do to best assist you in improving your cyber security in the long term?

  • There needs to be Research and Development; especially in areas such as the development and implementation of new secure basic protocols for the Internet, which will not be undertaken in the private sector due to the lack of a viable business plan for implementing them profitably.
  • Government needs to be involved in supply chain issues and support solutions that are economically practical for the private sector. This would include working with the private sector to develop a consensus framework to assure secure systems. This needs to be done on an international basis with market motivators that transcend national boundaries.
  • Involve American business schools by making cyber security educational programs a domain of expertise and integrating cyber security into undergraduate and MBA (or even liberal arts) courses.
  • Loans need to be made available and procurement reform must be addressed.
  • Make sure non-defense and intelligence (civilian agencies) sectors of the government make cyber security a priority.
  • Re-examine laws governing telecommunications from the 1980’s to assure they allow for appropriate security in the digital age.
  • Examine the legal structures to encourage voluntary reporting of security incidents and reasonable data gathering that can be used to properly assess risk on a corporate basis.

If you had 5 minutes to discuss cyber security with President Obama what would you tell him?

  • There is a tremendous awareness problem with respect to cyber security.
  • We need an incentive model to encourage better cyber security.
  • We need to drive home the idea that you can have 95% security but the other 5% is still a massive hole. There is not enough of an appreciation of this at higher levels within government today.

In short:

  1. Be careful as you craft policies and expectations.
  2. Be knowledgeable about what industry is doing before you act.
  3. Embrace the partnership model; not mandates.
  4. Advocate for adequate funding for R & D.
  5. Make sure intelligence is well coordinated with industry.

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here: 

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, D&O Liability, FEATURE ARTICLE, Government, ISR News, Internet Security Alliance, Military, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!