Vulnerabilities / Threats
05:36 PM
Connect Directly

RSA: Working Together Works

But making public-private partnerships function properly isn't always easy.

Working together is critical to managing cybersecurity risk successfully, but not everyone is on the same page when it comes to how to collaborate effectively, particularly when partnerships stretch across the divide between the public and private sector.

At the RSA Conference in San Francisco, Calif., on Tuesday, pretty much everyone sharing an opinion on the subject of security expressed support for sharing information and knowledge to counter cyber threats.

Scott Charney, Microsoft's corporate VP of trustworthy computing, called for collaborative defenses based on a public health model. William Lynn III, Deputy Secretary of Defense, urged building stronger collective defenses with our allies and better information sharing.

Howard Schmidt, Special Assistant to the President and White House Cybersecurity Coordinator, Philip Reitinger, Deputy Under Secretary for the Department of Homeland Security, and Patrick Gallagher, Deputy Under Secretary of Commerce for Standards and Technology and Director of NIST, all expressed support for collaboration and information sharing across the public and private sector to mitigate cyber security risk.

Though there's widespread agreement that cooperation represents the best defense against the dark arts, there's some heavy lifting required to get from theory to practice.

Lynn, in his keynote address, said that the even if the Department of Defense successfully executes its "Cyber 3.0" strategy, now in the final stages of review, it can't do it alone because most of the national critical infrastructure is in private hands. The Department of Defense has been pushing its senior IT managers to incorporate more practices from the commercial world and Lynn proposed that those in the private sector ought to be mindful of their role in the nation's network defense.

"In the cyber domain, soldiers are not the only ones on the front lines," he said. Civilians ought to take some responsibility for security, in other words.

Lynn suggested that some of the network defense resources provided by the military to the Department of Homeland Security could be made available to assist the private sector, but didn't offer any details about how this might work.

One of the pillars of the "Cyber 3.0" strategy described by Lynn involves marshaling both technology and people to maintain America's preeminence in cyberspace. But there's considerable concern that lack of human resources could hinder that goal.

Reitinger, in a town hall discussion, described cyber security as both a security issue and an economic issue. "It is the cybersecurity workforce of the future that is going to enable our country to succeed," he said, adding his voice to the chorus calling for stronger national efforts develop science, technology, engineering, and math talent.

"We have to make being a geek cool," he said.

Schmidt, during the same discussion, offered a few examples of successful attempts to connect the public and private sector, like the Cyber Storm III exercise last year. And Gallagher confirmed that effective collaboration is occurring at many levels in the government.

But Reitinger stressed that more needs to be done.

"It's just too hard to be secure," he said. "We've got to make it easier."

We have a long way to go, he said, because people don't always understand how to collaborate and share information effectively.

When they hear collaboration, he said, "Some people here think 'kumbaya' and walk out the door and nothing changes."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio