Risk
3/16/2011
04:40 PM
50%
50%

Why Cybersecurity Partnerships Matter

The public and private sectors must collaborate in new ways to ward off dangerous threats to critical systems and IT infrastructure.

For years, the federal government has launched one policy initiative after another to protect critical IT infrastructure in coordination with the private sector. There's been progress, but the threats--computer breaches from foreign parties, fast-spreading worms, and hidden malware--have outpaced the advances, leaving computer systems and networks across industries more vulnerable than ever.

What can businesses and Uncle Sam do, together, to reverse this dangerous trend? There must be three areas of immediate focus. First, the public and private sectors need to share more information--more parties must be included and new platforms used. Second, they must pay more attention to defending against attacks that threaten critical IT infrastructure and even damage physical facilities. Third, their collaboration must be ratcheted up to the next level--real-time identification and response as threats occur and, more to the point, "moving security practices from a reactionary posture to one that's proactive and preemptive," says Rich Baich, leader of Deloitte's Cyber Threat Intelligence Group.

In other words, the growing number of cybersecurity "partnerships" being established between the federal government and the business community are more than a one-way street. The feds may be driving the effort through initiatives such as Homeland Security's 2009 National Infrastructure Protection Plan, developed in response to a presidential directive, but companies stand to benefit from the more resilient cyber defenses that result from such collaboration.

The feds have defined 18 infrastructure areas considered essential to national interests. They include the agriculture, banking, chemical, and defense industries, as well as government facilities. The goal is to protect the computer systems and networks that serve those vital sectors from increasingly sophisticated threats, including those launched by hostile actors such as terrorist organizations and rogue nations.

Even the Department of Defense is looking to work with the private sector. When Deputy Secretary of Defense William Lynn recently outlined the DOD's plans for bolstering its cyber defenses, he called for increased cooperation with industry. "With the threats we face, working together is not only a national imperative, it's one of the great technical challenges of our time," he said in February at the RSA Conference in San Francisco.

Over the past two years, the DOD has developed "active defenses" that use sensors, software, and signatures to protect its military networks. Next, Lynn said, the agency will make its cyber capabilities available to the private sector "to help protect the networks that support government operations and critical infrastructure," such as the power grid, telecommunications networks, and defense contractor systems.

Several organizations have laid the groundwork for increased collaboration on cybersecurity. Since 2003, the U.S. Computer Emergency Readiness Team (US-CERT) has been providing updates on threats to industrial control systems and other computing infrastructure. The 42,000 members of InfraGard, a partnership between the FBI and the private sector that dates back to 1996, are devoted to creating "actionable intelligence" for infrastructure protection.

Much of the activity revolves around information sharing in key industries. For example, the National Council of Information Sharing and Analysis Centers supports threat response for companies in financial services, healthcare, public transportation, and a handful of other industries.

Information sharing is important, but it's not enough. Scott Charney, VP of trustworthy computing with Microsoft, calls information "a tool, not an objective."

Industry-specific initiatives are evolving into something more substantial. The Financial Services Sector Coordinating Council, whose members include Bank of America, Citigroup, Morgan Stanley, and Visa, coordinates the protection of IT and other infrastructure operated by banks, insurance companies, and other financial institutions. The council does that work in collaboration with the departments of Homeland Security and Treasury, and in December it took things a step further via a memorandum of understanding with the National Institute of Standards and Technology, Commerce Department, and Homeland Security that paves the way for financial firms and government agencies to work together on the development of cybersecurity technologies and test beds.

Milestones in critical infrastructure Protection

Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.