Let’s end pass-the-buck security

At InfowarCon in 1997, one of the first public debates was held on who should protect the private sector (an economic national security asset) from the “bad guys” – not just from hacking, but also international espionage and terrorism. There were two camps. One suggested that the government should take the protective lead. The other camp said, “No, keep the Feds out of my company. We’ll take care of ourselves.”

Then came Sept. 11, and the interdependence between all our infrastructures became clear; we are all in this together. So the Department of Homeland Security was formed to be the catch-all of security, including cybersecurity, for the U.S.

In December, Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, released the 2003 federal computer security report card for the U.S. government. The DHS received a failing grade, and the average score for the entire federal government was a dismal D. The Feds failed cybersecurity responsibility for their own systems, yet they want to guide the private sector’s efforts.

So how much in information security has changed in the last 20 years? Next to nothing, and in many ways, things have gotten worse. Last month, the General Accounting Office (GAO) reported there were 1.5 million reported cyberattacks against government facilities in 2003, a threefold increase over 2002.

I speak to senior management across the country, and too many of them feel that the DHS has it covered and that they don’t have to spend bottom-line dollars on security. They’re passing the buck to the Feds, who are in no better shape and perhaps measurably less responsible than the rest of us.

The GAO and endless other reports cite what we have known for years: Companies need to take responsibility for their own security. We have seen some positive movement in that direction with security awareness, but these efforts tend to be aimed at employees, ignoring the group that can do the most good: senior management.

How many managers understand the real security issues we face, much less are able to discuss the intricacies of their interdependence? How many managers follow the same advice and policy directives they expect their staff to follow? How many managers know their counterparts at competitive organizations who all face the same threats?

What’s needed is a rapprochement between competitors within the same industries, and a détente between the government and private sector, each of which have almost diametrically opposed modus operandi. Impossible you say? Not.

Look at the progress made by the Financial Services Information Sharing and Analysis Center. With the cybereconomy being “the economy,” according to National Security Advisor Condoleezza Rice, what more compelling an arena to define the necessity of responsible cooperation than the financial infrastructure?

Cooperation means taking responsibility, not passing the buck. It means being willing to take risks with others, share the ups and downs as we learn how to secure the most complex infrastructure ever conceived or built by humans. Cooperation means working with the government, but not abdicating control or responsibility to it.

Under the stewardship of FS-ISAC Chairperson Suzanne Gorman, a foundation for a model of success has been built. But these initial successes will require an intensive ongoing effort at responsible cooperation (often difficult); funding (often distasteful or painful); and the taking of responsibility, something too many of us have forgotten.

None of us have it all right. None of us have it all wrong. But we all have to take and teach the same responsibility we were taught as children: It’s your own damn fault if you touch a hot stove again and again.