US cybersecurity tsar marches on
Published: 20 Feb 2007 17:32 GMT
…to think creatively about how companies can invest and feel good about the investment knowing that there is a return.
Could it be like the tax breaks on hybrid cars? Could I get a tax break if I buy a computer system with enhanced security, similar to when I buy a Prius today?
A lot of it is exactly that. But it has to be customer driven — if you're my customer, and you say: "I'll do business with you if you can show me that you have a secure system". We're trying to raise awareness to get everyone thinking proactively about security instead of reacting to breaches or internet disruptions because they didn't prepare. A lot of this is going to be customer driven; there may be some tweaks to laws that Congress can do that will drive investment.
Like many in the industry, you predict that all worldwide communications will be going over a single, internet protocol-based pipe. Is that a scary thought?
It can be if we don't address the full spectrum of issues. Having our information and communications travelling through the same pipe introduces efficiencies for enterprise management, cost savings, productivity, a panoply of features. This is the next-generation network, but with that comes more vulnerabilities. We need to be clearly aware of what those vulnerabilities are and take steps now as we build out this little architecture, [and] build in more security as we go.
At the same time, you see a threat in globalisation of the IT industry.
Globalisation is great and, just [like] convergence of networks, globalisation introduces new efficiencies and economies of scale. However, there are risks involved with that, because the more you distribute your design, your manufacturing, your packaging, your shipping, the more there are opportunities for vulnerabilities to be introduced. A lot of the malicious hackers are outside of the US.
Many global companies that I've talked with are acutely aware of that and have very stringent controls in terms of employee clearance processes, background checks — that kind of thing.
Still, Apple shipped a Windows virus on iPods assembled overseas.
All companies need to be watchful. Globalisation does present risks, but ultimately the test is not where something is made, but how it is made. There have to be security procedures built into the supply chain, particularly if you've got a global supply chain.
You talked about US-CERT, your network monitoring centre, moving in with private sector security monitoring efforts. What are the benefits of this?
For us to have a truly effective instant response, you need trusted information sharing between the key stakeholders. If we don't have that, we're not going to work as well together, so collocating and bringing them together physically is the way to go.
Hard-drive encryption is becoming more popular. Windows Vista has BitLocker, and Macs have had FileVault for a while. Where do you stand on encryption? Is America better off with encryption being available to lots of people, or should it be restricted?
Encryption is one tool among many. DHS needs to continue to promote innovation in the private sector. Let the marketplace determine what the best tool to use is.
When it comes to being able to prosecute criminals, should there be a backdoor to let law enforcement access encrypted files?
We don't want to regulate the technological marketplace. We can fight technology with technology and use the tools at our disposal.
There will be a second major readiness exercise, CyberStorm II, in March next year. Do you know what the focus will be?
We had our first planning session a few weeks ago, so that's still in the developmental stages. We do want to extend to other industry sectors, and we'll bring in more state actors and international actors. Exactly what the scenarios are going to be that we'll be responding to — that's yet to come.
Previous
Did you find this article useful?
4 out of 4 people found this useful
- Share this article:
