DHS head: Businesses need to focus on cybersecurity

WASHINGTON - The U.S. Department of Homeland Security (DHS) will focus significant efforts on cybersecurity and on working with private vendors to develop technologies designed to provide domestic security in the coming months, DHS Secretary Michael Chertoff said Wednesday.

Chertoff, speaking at the InfraGard National Conference in Washington, D.C., also called on private companies to make more of an effort to protect their cyber infrastructure. He also said there needs to be more incentives for IT vendors to focus on cybersecurity. InfraGard is an organization started by the U.S. Federal Bureau of Investigation to improve information sharing on critical infrastructure between the U.S. government and private industry.

One way to provide incentives for private companies to develop cybersecurity products is legal reform that limits damages from product lawsuits, Chertoff said.

He mentioned the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act), which limits liability for products designed to combat terrorism after a terrorist attack, but he suggested Congress should go further in protecting companies from product lawsuits.

Private companies should already have good reasons to protect their own cyber infrastructure, however, he said. "There's also a very strong business case to be made for private sector investment in security," he said. "In today's threat environment, active security measures are critical to businesses themselves, because the cost of an attack will very, very greatly outweigh the cost of protection."

Chertoff didn't immediately address a May report from the U.S. Government Accountability Office, which said the agency has "not fully addressed any" of its 13 key cybersecurity areas. But much of his talk at InfraGard was focused on cybersecurity, while most past DHS efforts have focused on physical security.

Most of what DHS has identified as the U.S. critical infrastructure is controlled by computers, Chertoff noted, and most of that infrastructure -- such as the nation's electrical grid and financial networks -- is owned by private companies. Chertoff called for a "21st century style of organization" that includes government agencies working closely with private companies to protect important national assets.

"We all recognize that protecting these vital national assets is a shared responsibility and a partnership," he said. "The Department of Homeland Security does not and should not own and control all these systems."

DHS will look at "all aspects of cybersecurity" in the coming months as it hires a person to fill the newly created position of assistant secretary for cybersecurity, Chertoff said. The agency will work to further develop partnerships with private companies to protect cybersecurity, and cybersecurity will be an essential part of a national infrastructure protection plan DHS is currently working on, he said.

Chertoff also called on private industry to develop new technologies that DHS can use in areas such border security, passenger screening systems and information sharing. "To realize the full benefits technology has to offer, we have to look outside the walls of DHS itself into the great area of private enterprise," he said. "On our end, we recognize our responsibility to support and aid technology developments in the private sector in any way we can."

Speaking after Chertoff, David Aucsmith, chief technology officer at Microsoft Corp.'s Security Business & Technology Unit, also called on the IT industry to focus more efforts on designing products for cybersecurity.

While most IT companies test their products for bugs, the testing generally covers the intended functionality of the products, Aucsmith said. But the vast majority of security problems happen when hackers find unintended uses of software, and traditional bug testing doesn't cover that unintended functionality, he said.

Aucsmith called for more "threat-based" software development. "We have to assume we have an adversary, and every piece of software should be written this way," he said. "Generally speaking, it's not."