Monday, December 06, 2004
"Cybersecurity for the Homeland" report: how does it affect you?
Today the House Subcommittee on Cyber Security, Science, and Research & Development released a 41-page report about protecting the US from threats involving our computer infrastructure. How does it affect you, the small businessperson or home user?
Well, for one thing they say it's everybody's problem:
They've got a point there. If you let criminals take over your computer, they'll use it to attack others, so you should secure your computers even if you think they're not "important".
They admit (commendably) that nobody knows what computer attacks are actually costing us. I'd long suspected that the numbers being thrown around ("XXX virus cost the world $NN billion!", which someone will say the day after the virus hits) were rubbish. They go on to explain that insurance companies aren't writing many computer security policies because they don't know what the loss rates are.
Despite being a government committee, they're skeptical about legislation to require better computer security. They've actually realized that the industry moves too fast. They hint that private sector players may start writing security requirements into contracts. If your business accepts Visa cards, you probably already know all about this: Visa's been imposing computer security regulations on merchants.
They suggest more technology transfer from government to the private sector. The report quotes an NSA spokesman as saying "In almost all cases the cybersecurity requirements found in national security systems are identical to those found in e-commerce systems or critical infrastructures". Which I think is wrong six ways from Sunday. Commercial systems have to defend against pranksters and thieves where national security systems have to defend against armies and spies. The mindset is different and the tactics are scarcely comparable.
The DHS goal that means the most to small businesses is to have an education and outreach program. The report admits that this has "not received appropriate management attention". They did succeed in launching the National Cyber Alert System, which offers some decent educational material but which has missed some important recent security threats. Congress wants the DHS to do more and do it better.
|
Well, for one thing they say it's everybody's problem:
... all users -- from the individual consumer to the large corporation -- should strive to understand vulnerabilities within hteir networked environemnt and safeguard against them. It is also necessary to prepare mitigation and contingency plans to respond if a vulnerability is exploited.
They've got a point there. If you let criminals take over your computer, they'll use it to attack others, so you should secure your computers even if you think they're not "important".
They admit (commendably) that nobody knows what computer attacks are actually costing us. I'd long suspected that the numbers being thrown around ("XXX virus cost the world $NN billion!", which someone will say the day after the virus hits) were rubbish. They go on to explain that insurance companies aren't writing many computer security policies because they don't know what the loss rates are.
Despite being a government committee, they're skeptical about legislation to require better computer security. They've actually realized that the industry moves too fast. They hint that private sector players may start writing security requirements into contracts. If your business accepts Visa cards, you probably already know all about this: Visa's been imposing computer security regulations on merchants.
They suggest more technology transfer from government to the private sector. The report quotes an NSA spokesman as saying "In almost all cases the cybersecurity requirements found in national security systems are identical to those found in e-commerce systems or critical infrastructures". Which I think is wrong six ways from Sunday. Commercial systems have to defend against pranksters and thieves where national security systems have to defend against armies and spies. The mindset is different and the tactics are scarcely comparable.
The DHS goal that means the most to small businesses is to have an education and outreach program. The report admits that this has "not received appropriate management attention". They did succeed in launching the National Cyber Alert System, which offers some decent educational material but which has missed some important recent security threats. Congress wants the DHS to do more and do it better.
# posted by Frederick @ 9:35 PM Email to a friend:
Haloscan: they provide trackback