New U.S. cybersecurity chief lays out guidance

SAN FRANCISCO -- U.S. companies and the federal government need to step up and fix the problems in their computer networks, the nation's new cybersecurity czar told attendees during his first-ever address at RSA Conference here on Thursday.

Within the next 10 years, the majority of the world's communication needs will probably be handled by the Internet, said Gregory Garcia, the assistant secretary for cybersecurity and telecommunications at the U.S. Department of Homeland Security (DHS). "This proliferation of applications and devices within the converged network is going to create a breeding ground for security problems," he said. "Our networks and our systems are vulnerable and they are exposed."

Garcia outlined two priorities for the year ahead. First, his office is working with federal agencies to adopt common security policies and practices. Second, he plans to work with the private sector to push forward a process called the National Infrastructure Protection Plan. This effort is intended to evaluate computer security risks on an industry-by-industry basis and outline the steps that need to be taken to address them.

The broad strokes of this plan were outlined last June, and the DHS is now working with industry to flesh out sector-specific plans, Garcia said.

He made it clear that the DHS expects U.S. companies to participate. "There are a lot of plans in Washington. This one is going to stick," he said. "The private sector owns and operates 90 percent of the critical infrastructure, and it's up to you all, not just the DHS, to secure this infrastructure."

Companies looking for best practices already have a number of standards they can consider, Garcia said, pointing to the International Organization for Standardization (ISO) 17799 specification and the guidelines prescribed by Technet, an IT industry association.

Computer security has not been a top priority at the DHS, which has paid far more attention to physical security threats to the nation since its inception in 2003. And though DHS Secretary Michael Chertoff tried to put a sharper focus on computer security by creating Garcia's high-level post in 2005, the position remained vacant for more than a year.

Garcia was introduced Thursday by Art Coviello, president of EMC's RSA group, who said afterward that he was encouraged by the assistant secretary's speech.

"It's a combination of carrot and stick," he said in an interview. "Chiding industry to actually comply with these standards that are out there, and a veiled threat of regulation to get things done."

Coviello said that cybersecurity has "languished a bit" within DHS ever since U.S. President George W. Bush signed off on his administration's comprehensive cybersecurity plan in 2003. "The Department and Secretary [Tom] Ridge and Secretary Chertoff obviously focused on the right things -- physical threats -- but now it's time to get after the critical infrastructure from the cyber side," Coviello said in the interview.

"I don't think industry is looking for a lot of regulation from government," he added. "What they are looking for is leadership."