Cybersecurity Lags, Public-Private Partnerships Needed, Conference Hears

To help that effort, Congress has passed legislation that lets companies share with the govt. word of possible threats against the U.S. network infrastructure without risking Freedom of Information Act disclosure duties, Davis said. Congress also has “tried to take some of the legal vulnerabilities away… so when you share with the government, you're not penalized,” he said. Govt. must be smart in identifying its needs but “we're not always good at doing that,” Davis said, calling clarity in procurement “a great failing of government.”

The U.S. spends $65 billion annually on IT products, a sum that will near $90 billion by fiscal 2010, Davis said. The govt. must “protect that investment and make sure when we put these [projects] online, our investments are secure,” Davis told the Web-based summit.

Davis also ticked off a list of govt. “cybersecurity do’s and don’ts.” Agencies should secure their people, facilities and networks using state-of-the-art tools, and criminal law should be enforced to the letter, and in some cases rewritten, to reflect technological changes, he said. The U.S. should abide by international conventions and treaties on cybercrime, data sharing and related fields, and U.S. law enforcement must get the personnel, tools and training needed to conduct more domestic and international investigations. Funding for basic research on cybersecurity should rise and analysts from the public and private sector should be encouraged to share data on emerging cyber-threats, he said.

The govt. has a duty to work with industry and academia to enhance education and recruitment of software developers and strengthen their training. Some computer science grads are entering the workforce without knowing cybersecurity, he said, saying a basic IT degree often doesn’t require a single course in the subject. And over 1/2 of U.S. cybersecurity experts are foreign nationals, he said.

Davis spoke as forcefully about what govt. shouldn’t do. Govt. shouldn’t thwart innovation with inappropriate curbs and standards and redundant certification, he said. The U.S. mustn’t respond to the increasingly competitive international IT marketplace by “becoming isolationists.” That tendency is “a huge danger for the U.S.,” which has “dominated cyberspace” many years, Davis said. “But we're now seeing growth in foreign countries and the U.S. is acting like we own it [while] rest of the world is developing around us,” he warned.

Davis also touched on Homeland Security Dept. slackness and IPv6. DHS still deserves an F on secure computing under the Federal Information Security Management Act (FISMA), he said. The agency now understands “you're only as strong as your weakest link” and it will be working over the next several years to strengthen its performance, he said. “This is a work in progress and it’s going to take some time.” Meanwhile, some regions of the world with limited IPv4 address space eagerly have been testing IPv6 while major U.S. agencies lag on next-generation Internet preparations. “It’s easy for us to say we have enough domain names to last,” he said. But if the rest of the world is embracing IPv6 and the U.S. isn’t, “our industries are going to be left behind.” Asian nations have been aggressive about investing in and adopting IPV6 strategies because the continent controls only 9% of IPv4 addresses. Europe has created a task force with the dual mandate of initiating country-specific IPv6 plans and is seeking regional and global cooperation, Davis said: “We can’t ignore that.” - - Andrew Noyes