Four major business associations came out of the National Cyber Security Summit this week with a roadmap, working groups, a work plan, and a promise to have “initial deliverables” to present to corporate America by March 1 2004.
The National Cyber Security Summit Alliance, as the group is called, comprises the US Chamber of Commerce, the Business Software Alliance, the Information Technology Association of America and TechNet.
Under guidance from the CERT US, a program of the US Department of Homeland Security and Carnegie Mellon University, the Alliance members have formed five working groups, each to study a piece of the security puzzle not adequately addressed.
One group will look at awareness-raising. It will try to figure out how to teach Internet users from individuals to large enterprises and government agencies how important it is to take care of their own security for the benefit of all.
Another group will attempt to identify how to better and more quickly disseminate information relating to security issues such as threats, vulnerabilities and incidents, and to create a common lexicon to do this.
The third will look at defining the role of the chief security officer in corporate governance. The fourth will try to figure out ways to improve the Common Criteria, a security seal program administered in the US by the National Institute of Standards and Technology.
The fifth and possibly most important working group will get into the nitty-gritty of how to actually secure the software that hypothetical cyberterrorists would exploit. It will try to figure out how to achieve meaningful and measurable vulnerability reductions.
Microsoft is leading this group through chief security strategist Scott Charney, along with Ron Moritz, head of Computer Associates International Inc’s security products, and Catherine Allen, CEO of the Banking Industry Technology Secretariat.
This group will focus on collaborative standards, tools, and measures for software, new tools and methods for rapid patch deployment, and best practice adoption as well as how to better build security into software from the ground up in future.
Since the Bush administration released its National Strategy to Secure Cyberspace back in February there has been a lot of talk about how to implement it, more calls to action than can be easily counted, and not a great deal of concrete activity.
Some saw the Strategy as vague. Indeed, many specific propositions contained in earlier drafts were reportedly eschewed at the request of an industry hesitant of being forced to do anything. It seems now the threat of legislation has kick-started things.
At the summit on Wednesday, Robert Liscouski, DHS assistant secretary told an audience of senior executives: There are a lot of people out there willing to legislate how you should be doing your work. If that’s what you want, that’s what you’ll get.
Indeed, there is a piece of draft legislation doing the rounds that would require companies to disclose their security status in Securities and Exchange Commission filings, much the same way they had to report Y2K compliance in the late 1990s.
The new Alliance working groups seem to be the first significant step towards fending off that threat by creating some public-private partnership self-regulation. The work is expected to continue beyond the initial deliverables deadline of March.
This article is based on material originally produced by ComputerWire.