Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data. “Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said.
As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.”
A 2009 Price Waterhouse Cooper study on global information security found that 47 percent of companies are reducing or deferring their information security budgets, despite the growing dangers of cyber incursions.
To improve cyber security, the public sector would have to institute sufficient market incentives to motivate companies to protect the public’s interests. Philip Reitinger, director of the National Cyber Security Center at the Department of Homeland Security, said that end users also need to be made aware of the simple things they can do to protect themselves — such as keeping software and anti-virus up to date.
“We need to, as a nation and as an IT echo system, continue to make it more simple for people to institute protections to determine if they’ve been compromised and to make sure they stay secure,” said Reitinger, a former Microsoft executive.
Civil liberties were also a concern of the panelists as they discussed privacy issues around the government’s implementation of Einstein 1 and 2 — programs designed to help monitor and protect government civilian networks — and Einstein 3, which the National Security Agency is currently developing for the same purpose. Reitinger said that DHS provides privacy and civil liberties training for those with the U.S. Computer Emergency Readiness Team who are responsible for implementing Einstein. He also said that the DHS’s Office of Cybersecurity and Communications has an oversight officer whose job is to ensure compliance with the rules.
One panelist, Larry Wortzel a retired army intelligence officer, made the case for the NSA to take the lead on the government’s cyber security initiatives, despite the agency’s public stance that it has no interest in assuming the position. “If, in fact, the NSA has technical capabilities beyond those of the providers, why should you be relying on the providers in areas where the NSA actually has greater capability?”
http://www.wired.com/threatlevel/2009/11/cyber-attacks-preventable/