Vulnerabilities / Threats
2/15/2011
05:36 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

RSA: Working Together Works

But making public-private partnerships function properly isn't always easy.

Working together is critical to managing cybersecurity risk successfully, but not everyone is on the same page when it comes to how to collaborate effectively, particularly when partnerships stretch across the divide between the public and private sector.

At the RSA Conference in San Francisco, Calif., on Tuesday, pretty much everyone sharing an opinion on the subject of security expressed support for sharing information and knowledge to counter cyber threats.

Scott Charney, Microsoft's corporate VP of trustworthy computing, called for collaborative defenses based on a public health model. William Lynn III, Deputy Secretary of Defense, urged building stronger collective defenses with our allies and better information sharing.

Howard Schmidt, Special Assistant to the President and White House Cybersecurity Coordinator, Philip Reitinger, Deputy Under Secretary for the Department of Homeland Security, and Patrick Gallagher, Deputy Under Secretary of Commerce for Standards and Technology and Director of NIST, all expressed support for collaboration and information sharing across the public and private sector to mitigate cyber security risk.

Though there's widespread agreement that cooperation represents the best defense against the dark arts, there's some heavy lifting required to get from theory to practice.

Lynn, in his keynote address, said that the even if the Department of Defense successfully executes its "Cyber 3.0" strategy, now in the final stages of review, it can't do it alone because most of the national critical infrastructure is in private hands. The Department of Defense has been pushing its senior IT managers to incorporate more practices from the commercial world and Lynn proposed that those in the private sector ought to be mindful of their role in the nation's network defense.

"In the cyber domain, soldiers are not the only ones on the front lines," he said. Civilians ought to take some responsibility for security, in other words.

Lynn suggested that some of the network defense resources provided by the military to the Department of Homeland Security could be made available to assist the private sector, but didn't offer any details about how this might work.

One of the pillars of the "Cyber 3.0" strategy described by Lynn involves marshaling both technology and people to maintain America's preeminence in cyberspace. But there's considerable concern that lack of human resources could hinder that goal.

Reitinger, in a town hall discussion, described cyber security as both a security issue and an economic issue. "It is the cybersecurity workforce of the future that is going to enable our country to succeed," he said, adding his voice to the chorus calling for stronger national efforts develop science, technology, engineering, and math talent.

"We have to make being a geek cool," he said.

Schmidt, during the same discussion, offered a few examples of successful attempts to connect the public and private sector, like the Cyber Storm III exercise last year. And Gallagher confirmed that effective collaboration is occurring at many levels in the government.

But Reitinger stressed that more needs to be done.

"It's just too hard to be secure," he said. "We've got to make it easier."

We have a long way to go, he said, because people don't always understand how to collaborate and share information effectively.

When they hear collaboration, he said, "Some people here think 'kumbaya' and walk out the door and nothing changes."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.