9/11 security lessons lost on businesses?

CEOs should act to protect key national assets, consultant says

CHICAGO -- In the six years since 9/11 people in charge of key infrastructure have lost their sense of urgency to improve security, according to a panel at the Security Standard conference today.

“Treat every day as if it is 9/12 of 2001,” says Stephen Squires, a former NSA employee and now a security consultant. “Everybody in America has to decide what they’re going to do and do it. Don’t wait for somebody else to do it.”

He called for CEOs of major industries to determine what their companies can do to improve security of their networks and to take steps toward that even if it means extra spending.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

CHICAGO -- In the six years since 9/11 people in charge of key infrastructure have lost their sense of urgency to improve security, according to a panel at the Security Standard conference today.

“Treat every day as if it is 9/12 of 2001,” says Stephen Squires, a former NSA employee and now a security consultant. “Everybody in America has to decide what they’re going to do and do it. Don’t wait for somebody else to do it.”

He called for CEOs of major industries to determine what their companies can do to improve security of their networks and to take steps toward that even if it means extra spending.

Catherine Allen, chairman and CEO of the Santa Fe Group, says that in the financial industry, businesses are security-focused. That’s because they have huge assets to protect and because they were they target of the 9/11 attacks. She said she sees continuing improvement of financial network infrastructure. “I sometimes feel like [this industry is] alone in that,” she said.

Her industry relies on carriers and power companies to support its networks, but she said their preparations for disaster may not be enough. “We work with energy and telecoms and tell them how dependent we are on them and that our regulations require us to be up within two hours of a crash,” Allen said.

The federal government doesn’t appreciate that these regulations don’t take into account that financial networks rely on these other providers, and that lack of understanding is damaging. “I think we’re doing an abysmal job on a federal government level,” she said.

Another panelist, Michael Assante, infrastructure-protection strategist for Idaho National Laboratory, said protecting power lines is a tough task, as evidenced by attacks against them in other countries that resulted in major business disruptions. “It’s a very difficult industry to protect,” he said.

Squires said that computer hardware could be made more secure based on industry research completed in the mid-1960s, but that no one has acted on it. “We’re living on a mid-20th-century computer architecture. There are better ways to do it. Why wait and ask for permission?” he said. “Leaders of great industries have to come together and decide they’re going to lead.”

He said security features built into Trusted Platform Module chips is a simple example of this type of technology. These chips are used to verify that devices have the appropriate security configuration.

Assante urged attendees at the Security Standard to return to their businesses and re-evaluate risks against their networks in a new light. “Consider how you do business, what are your critical assets and what could go wrong,” he said. And then develop a plan to defend them.

Squires said today’s CEOs should take note of top executives from history who put aside pure profit as a motive in order to take action for national security. He said the business-government cooperation of World War II is a model that should be followed. “Great CEOs recognized the challenges of their times and made difficult decisions for the benefit of the country, even if it didn’t make the extra dollar,” he said.