There are genuine concerns in not seeing good progression with this initiative, including an inability for agencies to feel confident that future security purchases will meet the formal compliance regulations that come from NCCIPS. Moreover, companies will be more hesitant in working with government agencies until future technical requirements are outlined.
But finger pointing is not the answer here, and coordinating, implementing and managing cyber security assets should not be the sole responsibility of NCCIPS. Corporate America has the duty and the expertise to be a key asset in protecting government IT systems. President Bush’s $6 billion request to combat cyber terrorism is a virtual call to arms to all businesses and organizations to do just that. It’s a matter of being part of the solution or part of the problem.
Summiting all participants
To expedite involvement, government agencies and prime contractors should call for a cyber security summit, designed to help identify and prioritize the apparently elusive critical security infrastructure needs. Corporations who do such work already hold clearances for their government contracts, so keeping discussions confidential is very doable.
Involvement should come in all forms, including agencies, non-profits, security product manufacturers/service providers, system integrators and assessors. Priorities should also be outlined in terms of the type of cyber threat - be it active or passive in nature.
Discussions should also include how current security policies and practices are impacting how well an agency’s network environment is able to protect both its information and employees. For example, organizations that fail to institute anonymous surfing practices when their staff members use the Internet for official business may unintentionally disclose their operating system, browser version, physical address and other sensitive information. Adversaries can use this information to uncover a government organization’s confidential plans and jeopardize their entire operation. Additionally, once an enemy knows an agency’s IP address, they can start scanning and attacking its network directly, endangering the organization’s data and infrastructure. Addressing these kinds of practices during the summit will put any conversation about the technical aspects of a network’s security architecture in perspective.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.