By Geoff Fein
The nation needs a new cyber security strategy with a clear statement on the use of key elements of governmental authority, according to a Microsoft [MSFT] official.
The country needs to improve the authority to prosecute individuals who are not deterred by political means, Cheri McGuire, director critical infrastructure and cyber security, trustworthy computing, Microsoft, and chairwoman, information technology sector coordinating council, said yesterday at a conference in Washington, D.C.
“We need to promote an identity system that enables a trusted online ecosystem,” she told attendees at the Protecting Cyberspace-People, Process, and Technology: Industry and Government Working Together, presented by Federal Computer Week and hosted by Juniper Networks [JNPR].
McGuire participated on a panel discussing the power of partnerships to improve cyber policy, strategy and operations.
“And we need to strengthen indications and warnings analysis and response to better understand and manage the real-time health of networks including new methods of security monitoring and automation of those methods,” McGuire said.
While work has been made to strengthen the public-private partnership, it is time to move beyond reports and plans and into actionable efforts, she added.
Government must evolve to address the current state of threats by clarifying the structures for governance and collaboration both within the government and within industry, McGuire noted.
“The long-term investments must be complemented by near-term initiatives and planning as well as action to better secure our critical infrastructure and the sensitive network and data that are comprised in those networks,” she said.
Working with the private sector, advancing cyber safe security, also requires a radical evolution of public-private partnerships as the nation currently knows them, McGuire added.
“The federal government and private sector must articulate a new philosophy for collaboration. Government and private sector efforts must be both synergistic and efficient,” she said. “We have too many groups, too many meetings and too many reports…and at some point we have got to move beyond that, again, to get to action.”
The effort must be focused on protecting the critical function such as communications or Internet routing systems, as opposed to simply collecting data on physical assets, McGuire added.
The myriad of partnerships that exist today between government and industry are not sufficient to address the complex challenges the country faces in the future, she said.
“Such collaboration should include the exchange of technical data with rules and mechanisms to enable both sides to protect sensitive data, proprietary and sensitive, from a government perspective,” McGuire said.”We also must create global situational awareness to understand the state of the computing ecosystem and the events that may affect it.”
McGuire noted the number of current ongoing public-private partnerships, for example, the National Strategy to Secure Online Transactions, which focuses on identity management, the Information Technology (IT) Sector Baseline Risk Assessment, as well as the IT Sector Information Sharing Pilot and the Defense Industrial Base information sharing program
“We have the National Cyber Incident Response Plan and we are exercising under Cyber Storm 3 for operational response,” she said. “For cyber crime, we have the International Botnet Task Force, the Anti-Phishing Working Group and the Digital Crimes Consortium, which are all working together, both public and private members, to address the global cyber crime issue. All good things, but at some point we have to move beyond that.”
Incremental progress is good, but now is the time to accelerate those efforts, she said.
“Help us move beyond planning and reports and into implementation and action,” she told attendees.