...to understand what was happening, attribute the source of it and help provide actionable guidance to help reduce the impact of that activity.
Have you been able to determine whether we are actually well prepared for this, or is there much that needs to be done?
We believe that we have a robust national cybersecurity response system. However, we recognise the need to enhance that system to more effectively prepare for significant cyberattacks or the cyberconsequences of physical attacks or natural disasters. There were 115 public, private and international organisations participating in the Cyber Storm exercise, most of them working from their regular place of business in 60 locations across the country and a number of other countries.
Do you have the results of the exercise?
It is a labourious effort to understand who said what to whom and when, to understand how well the communications paths and processes really worked. We expect that that effort will culminate in a report in the summer that we will be making public.
Was this exercise really about knowing if our information sharing works or was this about knowing if the US' defences work?
Because it was a simulated series of attacks, it did not involve attacks on real networks. It wasn't testing the ability to actually stop attacks. Instead, it was testing the communications paths and processes that would be used by the cybersecurity community, law enforcement, the intelligence community, the Department of Defense and the private sector in responding to significant attacks.
What do you think about the US' ability to actually defend itself against an attack. How well prepared are we to defend ourselves against one?
As President Bush said last week, America remains at risk. We remain at risk from both a physical and cyber perspective. In other words, malicious actors can attack our critical infrastructures and cause disruption. We are working to help mitigate the significance of those disruptions. We don't have perfect defences; we recognise that these are risks we have to mitigate, and this Cyber Storm was an effort to help advance that.
Do you have any recommendation for what government, companies and even individuals should do to help us protect the national infrastructure against cyberattacks?
The national strategy really lays out the call to action as to what folks need to do. For example, in the area of consumers, we're trying to raise awareness and we're doing so in partnership with the National Cyber Security Alliance and the Federal Trade Commission as to what folks need to do to help secure their systems. We're working closely with law enforcement, in addition to helping make sure that information that can be shared is shared about malicious activities and those who commit cyber-related crimes, to make sure those efforts are investigated and the individuals prosecuted.
We're certainly encouraging the private sector to use best practices to help secure their information systems. Just as [Homeland Security Secretary Michael] Chertoff has called for a risk management approach from a national perspective, it is critically important that the leaders of organisations use traditional risk management processes but include cyber-risks as part of those processes so that they assess and mitigate the cyber-risks that their organisations face. That mitigation can...
For more, click here...
