Progress has been made on the US government's strategy for protecting the Internet and securing information systems, but the work is not done, a panel of experts said on Tuesday.
On Valentine's Day three years ago, the Bush administration signed off on the National Strategy to Secure Cyberspace. The policy statement called for the government to work with private industry to create an emergency response system to cyberattacks and to reduce the US' vulnerability to such threats.
"We're much stronger today than we have been ever in the past," Howard Schmidt, independent security consultant who has served as cybersecurity adviser to the White House and security executive at Microsoft and eBay, said in a panel discussion at the RSA Conference in San Jose on Tuesday.
Schmidt was joined on the panel by Andy Purdy, acting director of the National Cyber Security Division at the Department of Homeland Security; Daniel Mehan, former chief information officer at the Federal Aviation Administration; and James Lewis, a director at the Centre for Strategic and International Studies.
Panellists agreed that progress has been made in the past three years, but cyberattacks advanced during that time.
"Are we making good progress? Yes. Do we have to hit some afterburners? I think that answer is yes also," Mehan said. He would give government and large businesses somewhere between a D and a C+ grade for their cybersecurity status, he said.
"If you look at the kind of pressures we're facing, there was a 500 percent increase in incidents tracked by CERT from 2000 to 2003," Mehan said. Cybersecurity efforts, while improved, did not do grow at the same order of magnitude, he said.
Much of the progress that was made in the past years was on sharing information between private businesses and the government, which was recently tested in a mock attack dubbed Cyber Storm. Coordination among government and industry is necessary for responding to and recovering from broad attacks on critical infrastructure.
But much remains to be done. Purdy's list of wishes includes simpler security for consumers, protection for kids online, higher awareness about the risks of file sharing, fewer security vulnerabilities in software, and greater interest from business chiefs.
"We have to send a message that the risk is real," Purdy said. "Chief executives no longer have to rest assured that if they don't hear of a problem, it doesn't mean it is not going on."
Schmidt also called for improved software security. He also wants more attention for small and midsize businesses and to ramp up the fight against phishing and other attacks that attempt to dupe users into giving up personal information.
Lewis called for new cybercrime laws, in particular a cybercrime treaty drafted by the Council of Europe. He also called out the US telecommunications infrastructure as vulnerable to attacks and said research should be done to prepare for the next generation of cyberattacks.
Industrial espionage needs attention to improve security for national security purposes, Lewis said. "In some cases things have improved in some federal entities, but that's probably because everything of value has already been downloaded," Lewis said.
