Ridge calls on business for security blueprint

SANTA CLARA – Calling on the private sector to do its part in securing the U.S. computer network infrastructure, top officials from the U.S. Department of Homeland Security Wednesday warned members of the high-technology industry that unless they took concrete steps toward cybersecurity, their industry could face government regulation.

“It should go without saying that the continued success of protecting our cyberspace depends on the continued investment of each of you and the businesses you represent,” said Homeland Security Secretary Tom Ridge, addressing an audience of Silicon Valley executives at the National Cyber Security Summit, a two-day event being held here in Santa Clara, Calif., to further U.S. cybersecurity policy.

The Summit is being sponsored by the Department of Homeland Security, along with the U.S. Chamber of Commerce and three technology industry groups: the Business Software Alliance, the Information Technology Association of America and TechNet.

“The President laid out a vision. Now we need a blueprint of practical steps we need to take to realize that vision,” said Ridge, referring to the White House’s National Cybersecurity Plan, which was released earlier this year as a guideline for security policy in government and private industry.

Securing the “vast electronic nervous system” that connects much of the U.S. network infrastructure may be a daunting task, Ridge said, but one made necessary by the terrorist attacks of Sept. 11, 2001. “These networks and the infrastructure they support do present an attractive target for terrorists,” said Ridge. “Terrorists know, as do we, that a few lines of code would ultimately wreak as much havoc as a handful of bombs.”

The Department’s Assistant Secretary for Infrastructure Protection Bob Liscouski was more direct on the need for industry self-regulation, saying that the private sector must step up to its responsibility and create a credible story explaining how it is working to address security issues. “You’ve got to help us tell that story,” said Liscouski, addressing the private sector attendees in the audience. “Because if we can’t tell that story, I can tell you, there are a lot of people willing to legislate how you should be doing that work.”

Ridge said that his department would work with industry over the next few months to “rigorously move forward to augment our cybersecurity capabilities,” but he provided few details of what that would entail.

Speaking after Ridge, National Cyber Security Division Director Amit Yoran said the department would begin delivering a series of security alerts and tips aimed at both security experts and home users. The department is also in the process of cataloging security vulnerabilities in the U.S., he said.

Critics of the National Cybersecurity Plan, however, say that it lacks teeth and that the Department of Homeland Security’s consensus-based approach to security gives the high-tech industry little incentive to improve matters. “The plan doesn’t do any good because it panders to everybody,” said security expert Bruce Schneier, founder and chief technology officer of Counterpane Internet Security. “Security is somehow anathema to politics because security involves pissing somebody off. As long as you look for consensus, you can’t get security.”

The government would achieve better results by using its buying power to force vendors to create secure software or by demanding that high-tech companies accept liability for insecure software, he said. “If they were liable for software vulnerabilities, you could guarantee they would fix them,” he said.