Top executives of major corporations should expect to serve on new government cybersecurity panels if president-elect Barack Obama follows the recommendations released this week by a think-tank panel.
In particular, leaders from four key areas - energy, finance, the converging information technology/communications sectors and government – would serve on The President’s Committee for Secure Cyberspace.
Those chosen would be a very select group and could not send proxies to meetings. “[The committee] must be limited to C-level membership (not Washington representatives),” according to Securing Cyberspace for the 44th Presidency, a report by members of the Center for Strategic and International Studies.
Committee meetings would lay the groundwork of trust needed so this key group could function well together in actual emergencies, the study says, “for real information exchange and for collaboration in a time of need.”
The four industries were chosen for the committee because they “form the backbone of cyberspace. … Keep these sectors running and cyberspace will continue to deliver services in a crisis. Bring them down, and all other sectors will be damaged.”
But the report also seeks support from a broader set of industry representatives. They would participate in a town hall group designed to receive cybersecurity information from government and to give input. Among the industries that would be represented are nuclear, electricity, food and agriculture, public transit, chemicals, oil and gas and health.
“Absent the creation of this group,” the report says, “we will continue to rely on ad hoc and incomplete efforts to educate the public on how to operate more securely in cyberspace.”
The report also seeks new regulations with the teeth to enforce standards that would establish a more secure infrastructure. One suggestion: tie the grant of federal economic stimulus money to complying with standards for secure industry control systems – no compliance, no money.
Under the recommendations mandatory use of secure Internet protocols would become a requirement for telecom carriers that want to do business with the federal government.
Less stringent proposals include security guidelines for buying IT products – software first - and for securing critical cyber infrastructure.
The study drew public attention for its dire warnings about the vulnerabilities of U.S. network infrastructures and the devastating potential effects should they be exploited. Many of the problems have been known for years, but progress has been slow.
One area targeted by the report, supervisory, control and data acquisition (SCADA) that run networks that control valves and switches in industry and utilities, has been the subject of security studies for years, but so far no widely enforced standards.
“When security changes from a should-be to a must, that’s when something will be done,” says Ira Winkler, president and acting CEO of Internet Security Advisory Group, who has hacked power company networks.
“I don’t get it. Why can we take tweezers away from people at airports but we can’t tell power companies that they must take security measures to keep the power up?”
He agrees with some of the reports recommendations to create enforcement mechanisms for effective security regulations. “If your company takes federal funds, you will make sure critical systems are tested quarterly and patches are implemented within a certain period of time,” Winkler says.
Relying on voluntarism never worked well and will only work worse given the bad economy. “You’re asking cash-strapped companies to invest in security knowing it’s the right thing to do. They just won’t,” he says.