Technology companies must cooperate in the battle against cyberterrorism — or submit to government-imposed security regulations — Homeland Security Secretary Tom Ridge and other senior officials said at the first National Cyber Security Summit.
“The enemies of freedom use the same techniques as hackers do,” Ridge said to 350 industry executives gathered for the first ever summit meeting. “We must be as diligent and determined as the hackers.”
The two-day conference, which ended Wednesday, was sponsored by the Department of Homeland Security and more than a dozen tech companies and trade groups. It was the first formal brainstorming session to draft security guidelines and cyberattack warning systems.
Ridge said the department intends to educate security managers in industries ranging from banking to transportation, as well as at least 50 million Americans with home computers, about the potential dangers.
The conference comes amid debate about the best way to protect the nation’s vast computer network against attacks that range from time-wasting and costly worms and viruses to terrorists who might break into government servers in search of sensitive data about nuclear programs or the president’s travel schedule.
Silicon Valley, which generally takes a hands-off approach to regulation, is opposed to formal policies and guidelines.
78 percent prepared
The Business Software Alliance trade group introduced a survey Wednesday claiming that at least 78 percent of information security managers believe their organizations are already able to defend themselves against a “major cyberattack.” The organization also released a detailed checklist for companies to ensure that their computer and telecommunication equipment was adequately prepared for what one government official called a “cyber 9/11.”
The Bush administration has generally been receptive to Silicon Valley’s lobbying efforts. But Bob Liscouski, assistant secretary for infrastructure protection — a new agency within the Department of Homeland Security — said the government reserves the right to wield the stick rather than dangle the carrot when it comes to cybersecurity.
“We need demonstrable results so we can say the private sector is taking the problem seriously,” Liscouski said. “If we can’t say that, I can tell you there are a lot of people who will legislate to tell you what to do.”
Given the daunting potential scope of cyberterrorism, even some technology industry leaders say that government regulations might make sense. Although suggested guidelines and recommendations are a step in the right direction, an attack could come if a single laptop containing sensitive data is lost or stolen from a national weapons laboratory.
“Everyone in business says they want to or should be secure, but that’s like everyone saying they want to or should be thin,” said Ira Winkler, chief security strategist for Hewlett-Packard Co.
“If recommendations are not mandatory, companies will say they don’t have the $10 million to invest in security, especially in this economy,” Winkler said. “But if you can tell shareholders that the expenditures are mandatory, the shareholders will understand.”
Executives at the conference met yesterday in working groups to advise the Homeland Security Department on subjects that include how to set up early warning networks and encourage companies to design better software. One early idea under consideration: professional licenses for software writers, similar to those for doctors and engineers.
The executives said they hope they’ll be able to share ideas with government officials in more formal meetings, including quarterly conferences and an annual summit.