Cyber Attacks Demand Strong Public-Private Response

Posted November 6, 2009 at 11:35am

The federal government is increasingly taking a leadership role in improving the nation�s cybersecurity. But, with a threat that is quickly growing and more sophisticated each day, it�s clear that the government � for all of its good intentions � cannot win this battle without a robust commitment from technology companies. [IMGCAP(1)] The stakes could not be higher: A recently declassified report from the U.S. Cyber Consequences Unit � a nonprofit research think tank � revealed that cyber attacks emanating from inside Russia disabled most of the Georgian government�s computer grid in August 2008, just days before war broke out between those two nations. In May, concerns arose again that defense industrial data was being exfiltrated to Asia. And in March, sensitive data on the presidential helicopter, Marine One, were found in a publicly available shared folder on a computer in Tehran.Today, there are reportedly 18 cybersecurity-related bills being worked on in Congress. Some are focused on determining who leads the national cybersecurity efforts on a day-to-day basis: the White House, the National Institute of Standards and Technology, the Department of Homeland Security, the Department of Commerce or another entity? Other bills are aimed at attempting to protect critical infrastructure and key resources like the energy grid. Additional measures target improvements in the Federal Information Security Management Act and protecting citizens from data breaches. Given the paramount importance and high stakes of cybersecurity, technology companies are continuously developing more secure, robust technology products, integrating and increasingly managing them securely as a service on behalf of our customers. Because about 80 percent of the nation�s information infrastructures are not government-owned, the government must rely on � and partner with � the IT product and services industry to protect our cyberspace. If a cyber attack hits the critical infrastructures of the U.S., it will be the technology industry, not be the U.S. Cyber Command, the National Security Agency or the Department of Homeland Security that will defend these large complex enterprises. Moreover, long-term, enduring advancements in cyber innovations are unlikely to come from the government because of a large and growing gap in IT research and development investment between the private and public sectors. For example, Hewlett-Packard alone spends nearly $3.5 billion in technology research and development annually. This includes investment in basic and applied sciences and technology transfer for solutions that we see globally. Combined with the rest of the might of the technology industry, governments clearly cannot compete in investing in game-changing technology innovations. Even the mighty research and development arms of the Department of Defense, which includes the Defense Advanced Research Projects Agency � inventors of the Internet � cannot compete with industry. Large technology companies are global in scope, and they are in constant competition to bring the most effective cybersolutions to every customer and potential customer. Security is an embedded part of HP�s operations, permeating every step of the product and service of the enterprise. And with industry providing the vast majority of dollars toward advanced research, material improvements will undoubtedly come from the private sector.None of this discussion is meant to undermine the government�s role in cybersecurity. Whichever legislation is considered and adopted, federal cybersecurity activities are essential to protecting our information infrastructures. Rather than attempting to federalize portions of the IT industry, the federal government�s should instead provide consistency in the way federal information and mission systems are secured, managed and governed, with an eye toward showcasing an evolving list of best-practices examples.The federal government should also streamline oversight of such measures to better coordinate protections against cyber attacks, applying techniques and standards developed in the private sector that emphasize quick response and reliable operating performance in the face of such attacks. Further federal investment in basic science and technology education � the building blocks for creating the next generation of IT experts � is essential, too. Given the global reach of cybersecurity, there are few issues facing us today that require more thoughtful public-private cooperation. Our success in combating cyber attacks depends on this, and HP and other technology companies are committed to continuing to work with the government to protect the global information infrastructure we have come to depend on in all of our daily lives.Sam Chun is the cyber security practice director in the US. Public Sector for Hewlett-Packard Enterprise Services.