Carrot or stick?

Two years ago, the Homeland Security Department outlined plans to enumerate and protect cyberassets in its National Infrastructure Protection Plan (NIPP).

"It was a traditional military approach," said Larry Clinton, chief operating officer of the Internet Security Alliance, a nonprofit group representing the information technology industry and academics. "And it got nowhere."

Since then, after many talks with the IT industry, DHS has moved to include cybersecurity in all of the 17 infrastructure sectors that have developed their own protection plans, including energy, water, food, IT and financial services.
"The integrated approach is a step in the right direction," Clinton said.

Clinton and others are seeing advances in national cybersecurity. But he and many other IT executives, along with the Government Accountability Office, also see areas where progress has been slow.

The IT sector protection plan, and plans for other sectors, were submitted in December 2006 and are undergoing an interagency review process, said a DHS spokesman. Meanwhile, Greg Garcia, named assistant secretary for cybersecurity and telecommunications in September 2006, has made speeches in the past several months outlining his activities in fostering information sharing, implementing the NIPP and offering guidelines for federal information security.

Even so, IT executives say there are still many questions about how the government will strengthen cybersecurity. There are discussions about what the appropriate government role is and how to share information to warn of vulnerabilities and cyberattacks. Other points of contention include how to protect identities on the Internet, whether there should be federal incentives to the private sector to boost information security, and whether companies that survey Internet network traffic should have a role in the nation's cybersecurity.

For example, the Senate's version of the law to implement the 9/11 Commission's recommendations has provisions that would establish a government-run, voluntary accreditation and certification program for information security that would apply to the private sector.

"This approach of regulating the IT sector is entirely wrong," Clinton said. "When you think of the dismal government scores on [the Federal Information Security Management Act], are these the people we want running information security for the private sector?"

A better plan would be to offer incentives such as changes in insurance, liability protections and government procurement policies, along with possible tax changes encouraging companies to adopt best practices for IT security, Clinton added.

"Congress has been looking at both carrot-and-stick approaches," said Peter Bello, senior vice president of federal government of Entrust Inc., a provider of IT security products and services. "I think if you dangle a carrot, you will be more likely to succeed."

Another idea, this one promoted by Ed Amoroso, chief of information security at AT&T Inc., suggests that companies such as AT&T, which have a real-time, around-the-clock view of Internet activity, can play a stronger role in cybersecurity.

At a recent conference sponsored by AFCEA International, Amoroso presented numerous charts showing sharp spikes and flooding of the Internet from various viruses and worms. AT&T not only has the ability to identify those events early on, but also has the capability of blocking proliferation of the worms on the network, he said.

It is not clear what fees AT&T might charge the government, but a knowledgeable source said federal officials have talked about obtaining the service for free. Amoroso has said in news media articles that AT&T would make a profit by offering such a service to private companies.

He did not respond to a request for further comment.

The idea, while still in its early stages, has gained some traction. Entities such as AT&T, Verizon Communications Inc., Symantec Corp. and the Internet Security Alliance can play a role in providing greater situational awareness to DHS, said Liz Gasster, acting executive director of the Cyber Security Industry Alliance.

"The government needs situational awareness," Gasster said. "And the government should be prepared to pay for it."

However, other IT executives warn of the risks of relying too much on large telecommunications companies as part of the nation's infrastructure protection. "That is tricky territory," said a high-level IT policy executive. "The telecoms have a history of cooperating with the government-think of the National Security Agency and of not always protecting the data."

The Government Accountability Office, in March 20 testimony, also reported challenges cited by IT industry executives in developing a working relationship with DHS.

They blamed a lack of trust with DHS, high turnover at the department and a lack of understanding among DHS employees of IT infrastructure operations.

Garcia, aiming to improve relationships with DHS, recently invited private-sector representatives to move into offices of the U.S. Computer Emergency Readiness Team in Arlington, Va. There also is talk of putting the National Communications Service in the IT Information Sharing and Analysis Center.

"It's so basic, but when you put desks side by side, the relationships develop," Gasster said.

But there are still questions about who will be invited to join the center and who might be left out. "Co-location is not the answer. It would severely restrict companies from participating due to their inability to receive clearance for a sufficient number of personnel. In effect, only those companies that are already working with the government as contractors would be able to fulfill this requirement," said Pete Allor, director of intelligence at IBM Internet Security Systems. He is on the executive committee for the IT-sector coordinating council.

Allor suggested that U.S. CERT could share information remotely and focus on creating "an open and trusted operational environment" to share information on cyber response and recovery.

Overall, however, progress in cybersecurity is being made, though it is slow.

"These things take time" said John Hopkinson, president of the International Systems Security Engineering Association. "Perhaps some people were overly optimistic about the timetable."

And despite Garcia's appointment, there still are concerns about whether enough high-level federal attention is being paid to the issue.

"The number of government senior employees who spend a substantial portion of their time on cybersecurity is quite limited," said Ed Black, president of the Computer and Communications Industry Association.

Staff Writer Alice Lipowicz can be reached at alipowicz@1105govinfo.com.