Cyber-Security Group Pushes 12-Point Plan On White House

A policy and advocacy group called on the Bush administration Tuesday to put more muscle behind cyber-security, and urged the White House to act on a dozen proposals and recommendations to protect the country's technology infrastructure.

The Cyber Security Industry Alliance (CSIA), which was founded in February 2004, by big name security firms such as Symantec, McAfee, RSA Security, Check Point, and Internet Security Systems, laid out a 12-point action list that included following up on industry and Congressional recommendations to appoint an Assistant Secretary-level position to oversea cyber-security, planning for a possible major disruption of the Internet, and sharing more threat information and analysis between government and the private sector.

"There's certainly a great deal of activity going on today with government understanding threats against physical infrastructure," said Paul Kurtz, the executive director of the CSIA, and one of the developers of the President's National Strategy to Secure Cyberspace. "I can understand why there's a bias toward the physical...an attack on a chemical or nuclear facility could cause casualties immediately...but I don't think we should be flying blind on the cyber-security."

The Bush Administration, said Kurtz, should be credited for taking steps to protect the country's technology, but "there is still more that must be done to harden our economy and critical infrastructure against potential cyber attacks.

Among the CSIA's recommendations are that an Assistant Secretary position be created in the Department of Homeland Security (DHS) to manage all aspects of the country's cyber-defense. The call for an Assistant Secretary -- who would be but two steps below the head of the DHS -- has been made previously, both before and after the abrupt October resignation of Amit Yoran, the DHS' cyber-security chief.A bill was introduced in the U.S. House of Representatives this fall to elevate Yoran's former position to the Assistant Secretary level, but never made it out of committee.

The CSIA also called on the White House to establish and test an emergency coordination network that would test scenarios and create contingency plans in case of a massive outage of the Internet.

"We're not talking about a Net meltdown," said Kurtz, "but a possible large-scale disruption. We don't have a way now to reconstitute the network, we don't have a Plan B."

Such planning is crucial, said Kurtz, not only because both the private and public sectors rely on the Internet for day-to-day operations, but because of the trend toward convergence in areas such as telecommunications. "When we're moving away from a dedicated switching network to voice over IP (VoIP), when voice and data share the same pipes, we need contingency plans."

Rather than jump into spending billions on a backup network for the Internet, Kurtz said that the federal government should bring data and threat experts to run low-tech table top exercises, and after that, simulations."We need to spin out simulations, such as a bolt-from-the-blue virus or a very large scale denial-of-service attack. We should be far more aggressive in thinking about this."

Kurtz wasn't ready to criticize the current administration, or even give it a cyber-security grade. "We're trying to be forward looking," he said. "We're just putting our hand in the air and saying, 'Let's think about cyber-security, too.'" But while he's optimistic that the proposals his group outlined will eventually become reality, Kurtz knows what he has to do.

"We've got to keep pressure on the White House. The infrastructure is getting attacked every day, so let's think a bit more about this."