Corporate CEOs should take as much responsibility for computer security issues as they do for their company’s financial results, says an industry task force report released Monday under the guidance of the Department of Homeland Security.
Too often information security is relegated to second-tier importance in today’s corporate environment; however, senior executives need to see that the issue “is also a governance challenge that involves risk management, reporting and accountability,” said the Corporate Governance Task Force of the National Cyber Security Partnership responsible for Monday’s report.
“Executives must make information security an integral part of core business operations,” the report says. “There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.”
After a series of corporate financial scandals, CEOs are now held personally responsible for their company’s financial results, including a requirement to verify and sign off on outside auditors’ financial reports. Monday’s cyber-security report encourages CEOs to step up the pace and take a similar amount of personal responsibility for the security of their computer networks.
“It is the fiduciary responsibility of senior management in organizations to take reasonable steps to secure their information systems,” said Art Coviello, president and CEO at RSA Security and co-chair of the task force. “This call to action is the work of many competing institutions coming together with common purpose,” Coviello said. “We have done our job, and now we encourage CEOs and boardrooms across this country to do theirs.”
The report, titled “Information Security Governance, A Call To Action,” also states that guidelines it proposes are broad enough to be used by non-profits and educational institutions as well. The task force developed its report by building on principles outlined in the administration’s National Strategy to Secure Cyberspace that was released early in 2003. That report provided a broad framework for a national computer security strategy in the private sector that was long on vision but short on details. Monday’s report fleshed out the government’s proposal with detailed procedures for increasing the accountability and reliability of computer network security.
“In this era of increased cyber attacks and information security breaches, it is essential that all organizations give information security the focus it requires,” said Amit Yoran, director of the National Cyber Security Division for the Homeland Security Department. “Addressing these cyber and information security concerns, the private sector will not only strengthen its own security, but help protect the homeland as well.”
Despite all the admonishment from the task force and its report, the recommendations are voluntary, hold no force of law and there are no repercussions for companies that ignore the entire document.
But ignoring the report’s recommendations could move the government to step in, said former U.S. Rep. Rick White, now CEO of TechNet, a trade group. “I can absolutely see [Congress] kind of getting fed up and saying, ‘Hey, we have to get ahead of this and start down that path,’ to implementing mandatory security regulations,” White said. “I don’t think that’s imminent right now, but I can see a year from now it being something people might want to focus on.”
And should a catastrophic cyberspace security event happen, “I think Congress would [impose security mandates] no matter what the industry had in place, even if everything was going great,” White said. But that would a difficult path to take, White said. “I think the consensus still is that, in technology areas in particular, it’s tough for the government to mandate a [security] standard because the threat continually evolves.”
Been here before
Despite the high-profile vulnerabilities and dependence the U.S. economy has on the Internet, the private sector has successfully warded off any attempts by Washington to mandate security requirements.
In addition, the Bush administration has slowly pushed responsibility and visibility of cyber-security issues to the margins as threats of physical terrorism from al-Qaida have taken center stage since 9/11. The position of cyber-security czar once reported directly to the president; the position is now buried in a subdivision of the Department of Homeland Security.
But should any kind of disaster strike, the administration can’t feign ignorance of a possible threat. Those warnings come from, among others, no less than former counterterrorism chief and later cyber-security czar Richard Clarke.
While serving in government Clarke was often derided by security experts for fomenting an atmosphere of “fear, uncertainty and doubt” regarding potential attacks against America’s computer network infrastructure. Clarke even coined the term “electronic Pearl Harbor” to describe a complete meltdown of U.S. computing power at the hands of a hostile threat. Despite the criticism, Clarke has never wavered from those predictions.
During a March 26 speech on cyber-security at Indiana University, Clarke spoke with reporters, saying that "the really bad news is 2004 is going to be worse” in terms of the amount of attacks on U.S. based computer networks. “What that says is there is chaos in cyberspace,” Clarke said.
Uneasy allies
The computer industry and the private sector in general have been long been uneasy allies with the federal government over the issue of critical infrastructure protection. For more than a decade computer intrusions have been under-reported to the government for fear the information might leak to the public, sending stock prices plummeting and driving business to competitors.
Just last month DHS announced it was making it easier for owners of the nation’s critical infrastructure to share with it how their facilities are most vulnerable to terrorist attack. In return for submitting the vulnerability data, the government is providing guarantees that such information will be kept private, unreachable by competitors, journalists and activists.
By law any information submitted to the new $3.9 million project, dubbed the Protected Critical Infrastructure Information (PCII) program, will be exempt from all Freedom of Information Act requests, the law that provides for public disclosure of information maintained by government agencies or offices.