• silicon.com
• Technology
• Security

By Joris Evers, 15 February 2006 08:45

NEWS

Progress has been made on the US government's strategy for protecting the internet and securing information systems but the work is not done, a panel of experts said on Tuesday.

On Valentine's Day three years ago, the Bush administration signed off the National Strategy to Secure Cyberspace. The policy statement called for the government to work with private industry to create an emergency response system to cyber attacks and to reduce the nation's vulnerability to such threats.

In a panel discussion at the 2006 RSA Conference on Tuesday, Howard Schmidt, independent security consultant who has served as cyber security adviser to the White House and security executive at eBay and Microsoft, said: "We're much stronger today than we have been ever in the past."

Schmidt was joined on the panel by Andy Purdy, acting director of the National Cyber Security Division at the Department of Homeland Security; Daniel Mehan, former chief information officer at the Federal Aviation Administration; and James Lewis, a director at the Center for Strategic and International Studies.

Panellists agreed that progress has been made in the past three years but cyber attacks advanced during that time.

Mehan said: "Are we making good progress? Yes. Do we have to hit some afterburners? I think that answer is yes also." He would give government and large businesses somewhere between a D and a C+ grade for their cyber security status, he said.

Mehan added: "If you look at the kind of pressures we're facing, there was a 500 per cent increase in incidents tracked by Cert [computer emergency response team] from 2000 to 2003." Cyber security efforts, while improved, did not grow at the same order of magnitude, he said.

Much of the progress that was made in the past few years was on sharing information between private businesses and the government, which was recently tested in a mock attack dubbed Cyber Storm. Co-ordination among government and industry is necessary for responding to and recovering from broad attacks on critical infrastructure.

But much remains to be done. Purdy's list of wishes includes simpler security for consumers, protection for kids online, higher awareness about the risks of file sharing, fewer security vulnerabilities in software, and greater interest from business chiefs.

He said: "We have to send a message that the risk is real. CEOs no longer have to rest assured that if they don't hear of a problem, it doesn't mean it is not going on."

Schmidt also called for improved software security. He wants more attention for small and medium-sized businesses and to ramp up the fight against phishing and other attacks that attempt to dupe users into giving up personal information.

Lewis called for new cyber crime laws, in particular a cyber crime treaty drafted by the Council of Europe. He also described the US telecommunications infrastructure as vulnerable to attacks and said research should be done to prepare for the next generation of cyber attacks.

Industrial espionage needs attention to improve security for national security purposes, Lewis said. "In some cases things have improved in some federal entities but that's probably because everything of value has already been downloaded," he said.

Joris Evers writes for CNET News.com