Cyber 'epidemic' grows more urgent

WILLIAMSBURG, Va. -- When the country was threatened with an H1N1 flu pandemic in 2009, nearly every sector of society got involved with educating the public. Agencies such as the Centers for Disease Control and Prevention set up websites, public-service TV ads were aired, schools preached good hygiene, and supermarkets posted signs and other advisories.

“Now, it’s a cyber epidemic,” said Bob Dix, vice president for U.S. government and critical infrastructure protection for Juniper Networks. “Why aren’t we educating people?”

Dix was speaking on a cybersecurity panel Oct. 25 at the Executive Leadership Conference, about the growing growing threats to cybersecurity. The panel was called “Taking it to the Net: Security Boon or Bane.” ELC, staged by the American Council for Technology and the Industry Advisory Council, took place in Williamsburg, Va.

Dix and the other panelists said the interconnected nature of systems has made all of them vulnerable, threatening both government systems and individuals. However, the panelists said, despite the urgency and the seriousness of the worry, the United States’ overall cyber defense isn’t strong enough.

“Right now, we’re a soft target,” said Sherri Ramsay, director of the National Security Agency/Central Security Service’s Threat Operations Center. “We’re very easy.”

Agencies are familiar with cyber threats, of course, but it’s a question of degree. “Nothing we’re talking about today is new,” Dix said. “What’s new is the threat is more severe.”

Making it tougher to penetrate systems involves a number of steps, including instituting security standards, getting agencies to share information more readily and raising awareness among the public, panelists said.

Some of those steps are already underway. Matt Coose, director of the Federal Network Security Branch of the Homeland Security Department’s National Cybersecurity Division, cited the work of NSA and the National Institute of Standards and Technology in creating the Security Content Automation Protocols, which, he said, “have really come a long way.”

A next step, Coose said, is to take standards to the international level.

Ramsay said agencies also have gotten much better over the last few years at collaborating on security. She said about 30 entities around government take part in a teleconferenced meeting five days a week to discuss security. It’s typically a short meeting, but agency representatives get to talk about what’s going on with their networks, and it establishes a rapport that would prove helpful in an emergency.

“In a crisis, those meetings would go seven days a week, and probably several times a day,” Ramsay said.

Dix agreed that sharing information has become more common among security teams. “I’ve sat in meetings with people who never used to come to the table,” he said.

In addition to collaborating with each other, government agencies must also get the message out to the public, panelists said. “This solution is going to be driven by the market,” Dix said.

Ramsay said her presence on the panel was one sign that NSA was looking to raise security awareness. Two years ago, NSA would not have sent the director of its threat operations center to give public talks, she said. Now, she spends a fair amount of time doing just that.

Ultimately, collaboration must grow into an effort that covers all sectors. Dix said a lot of the pieces are in place now, but “the operational piece is what’s missing.”

Ramsay also called for a combined effort. “We absolutely have to have a Team Cyber” consisting of the public and private sectors and academia, she said, and which much be interoperable at the system, network, people and policy levels.