There's been much discussion of late regarding the perceived lack of expediency by federal agencies to identify and prioritize critical cyber infrastructure needs. The Department of Homeland Security’s National Center for Critical Information Processing and Storage (NCCIPS) is sanctioned to host departmental applications and handle network connectivity, disaster recovery and critical data storage. Despite Congress approving $97.3 million in funding for NCCIPS for fiscal 2008, the migration of IT systems to the national center is reportedly moving slowly.

There are genuine concerns in not seeing good progression with this initiative, including an inability for agencies to feel confident that future security purchases will meet the formal compliance regulations that come from NCCIPS. Moreover, companies will be more hesitant in working with government agencies until future technical requirements are outlined.

But finger pointing is not the answer here, and coordinating, implementing and managing cyber security assets should not be the sole responsibility of NCCIPS. Corporate America has the duty and the expertise to be a key asset in protecting government IT systems. President Bush’s $6 billion request to combat cyber terrorism is a virtual call to arms to all businesses and organizations to do just that. It’s a matter of being part of the solution or part of the problem.


Summiting all participants

To expedite involvement, government agencies and prime contractors should call for a cyber security summit, designed to help identify and prioritize the apparently elusive critical security infrastructure needs. Corporations who do such work already hold clearances for their government contracts, so keeping discussions confidential is very doable.

Involvement should come in all forms, including agencies, non-profits, security product manufacturers/service providers, system integrators and assessors. Priorities should also be outlined in terms of the type of cyber threat - be it active or passive in nature.

Discussions should also include how current security policies and practices are impacting how well an agency’s network environment is able to protect both its information and employees. For example, organizations that fail to institute anonymous surfing practices when their staff members use the Internet for official business may unintentionally disclose their operating system, browser version, physical address and other sensitive information. Adversaries can use this information to uncover a government organization’s confidential plans and jeopardize their entire operation. Additionally, once an enemy knows an agency’s IP address, they can start scanning and attacking its network directly, endangering the organization’s data and infrastructure. Addressing these kinds of practices during the summit will put any conversation about the technical aspects of a network’s security architecture in perspective.