There are genuine concerns in not seeing good progression with this initiative, including an inability for agencies to feel confident that future security purchases will meet the formal compliance regulations that come from NCCIPS. Moreover, companies will be more hesitant in working with government agencies until future technical requirements are outlined.
But finger pointing is not the answer here, and coordinating, implementing and managing cyber security assets should not be the sole responsibility of NCCIPS. Corporate America has the duty and the expertise to be a key asset in protecting government IT systems. President Bush’s $6 billion request to combat cyber terrorism is a virtual call to arms to all businesses and organizations to do just that. It’s a matter of being part of the solution or part of the problem.
Summiting all participants
To expedite involvement, government agencies and prime contractors should call for a cyber security summit, designed to help identify and prioritize the apparently elusive critical security infrastructure needs. Corporations who do such work already hold clearances for their government contracts, so keeping discussions confidential is very doable.
Involvement should come in all forms, including agencies, non-profits, security product manufacturers/service providers, system integrators and assessors. Priorities should also be outlined in terms of the type of cyber threat - be it active or passive in nature.
Discussions should also include how current security policies and practices are impacting how well an agency’s network environment is able to protect both its information and employees. For example, organizations that fail to institute anonymous surfing practices when their staff members use the Internet for official business may unintentionally disclose their operating system, browser version, physical address and other sensitive information. Adversaries can use this information to uncover a government organization’s confidential plans and jeopardize their entire operation. Additionally, once an enemy knows an agency’s IP address, they can start scanning and attacking its network directly, endangering the organization’s data and infrastructure. Addressing these kinds of practices during the summit will put any conversation about the technical aspects of a network’s security architecture in perspective.
Risks and rewards should be shared by all
Corporate America should not only be willing to participate in such discussions, but also share in the responsibilities for its implementation. It is not enough for organizations to simply share their viewpoint, but they must also be ready to help in delivering solutions that improve the federal government’s security posture.
Sharing in the risks will bring with it ample rewards. In addition to solving this specific initiative, contractors and agencies will lay a solid foundation to identify other needs and solutions. This new partnership will open both opportunities and budgets, which making the associated operations efficient in both design and execution.