More action, not just talk, needed on cybersecurity

Former acting federal cybersecurity chief Melissa Hathaway used the public forum afforded her by the Internet Security Alliance yesterday to warn that the government is losing the sense of urgency it needs to tackle the many pressing cybersecurity challenges it faces. After receiving an award for her work reviewing national cybersecurity policy for the Obama administration, Hathaway called for more collaboration and more explicit action by both private and public sector organizations on improving security. In addition to a call for “bold steps forward,” she said there needs to be more dialogue and transparency about the realities of the threats facing computing infrastructure. Her comments presumably would be well received by the current administration, which through new cybersecurity czar Howard Schmidt and policy statements by Secretary of State Hilary Clinton has emphasized a need for greater cooperation on security across sectors and among countries. Her words were probably welcomed by her hosts as well, as the ISA has called publicly in the past for greater government engagement with the private sector on security, including a recommendation that the government should offer incentives to companies to fix security problems.

Without at all diminishing the critical importance of moving forward aggressively on enhancing cybersecurity defenses and protecting critical infrastructure, it seems that nature of the dialogue and frequency with which the urgency is expressed is becoming part of the problem. Every new incident that comes to light is quickly labeled a “wake-up call,” most recently including the Google attacks suffered in China. A quick Google search this morning for “cybersecurity wake up call” returns 376,000 hits — is this not sufficient to rouse us from our collective slumber? It’s also hard to find fault with an approach that seeks to leverage public and private sector expertise, but given the breadth of collaboration routinely called for, it also seems likely that encompassing such broad input will impose its own set of barriers to taking action. The cybersecurity review for which Hathaway received the ISA’s Dave McCurdy Internet Security Award was noteworthy not just for its ambitious scope and content of its recommendations, but also for the relative brevity (60 days) of the review in contrast to government analyses that can drag on for months or years. However, the report from the review was released over eight months ago, and only recently has any progress been made even on basic recommendations like the appointment of the cybersecurity czar and increases in federal cybersecurity programs for education and research and development. If the most recent wake-up calls are sufficient jarring to prevent once again hitting the figurative snooze button, the results should be seen in explicit actions, not in more or broader discussions.