[Infowarrior] - U.S. calls for more organized cyber response

[Richard Forno]

 U.S. calls for more organized cyber response
Robert Lemos, SecurityFocus 2007-02-08
http://www.securityfocus.com/print/news/11441

SAN FRANCISCO -- The United States' top cybersecurity official renewed calls
on Thursday for companies to step up and help the federal government manage
threats to critical infrastructure and the Internet.

Gregory Garcia, Assistant Secretary for Cyber Security and
Telecommunications, told attendees at the RSA Security Conference that the
nation still has a long way to go before being ready to respond to a serious
cybersecurity incident.

"Our networks are, by and large, interdependent because our networks are
interconnected," Garcia said. "Home users, governments, and private
companies all need to be aware of their responsibilities."

The number of reported incidents have surged to 23,000 in 2006 from 5,000 in
2005, according to the latest data from the DHS. Moreover, the number of
vulnerabilities disclosed to public sources jumped by more than a third in
2006 over the previous year, although most of the flaw reports could be
attributed due to increased scrutiny of Web applications.

The U.S. government has had a spotty record in dealing with cybersecurity.
Garcia became the first Assistant Secretary of Cyber Security and
Telecommunications in September, more than a year after the post was created
by Congress. While federal officials and private participants completed the
first international cybersecurity exercise in February, eight federal
agencies--including the Department of Homeland Security--failed to get
passing grades in an annual security audit.

Threats continue to multiply, Garcia said. The U.S. Computer Emergency
Readiness Team (US-CERT) has monitored as many as 3,000 bot net command and
control channels believed to be responsible for millions of compromised
machines, he said. Target trojan horse, which have attempted to compromise
government servers, are on the rise.

"Our networks and systems are vulnerable and exposed," Garcia said. "Our
adversaries are motivated and sophisticated."

Reaching out to companies to aid the nation's fight against cybercrime and
cyberattacks is not surprising. The private sector owns more than 80 percent
of the critical infrastructure in the United States, including the servers
and backbones that make up the Internet. While the government continues to
develop cybersecurity expertise among key personnel, not enough federal
employees have the knowledge necessary to be part of the 'A' squad,
Christopher Painter, deputy chief of the Computer Crime and Intellectual
Property Section (CCIPS) at the U.S. Department of Justice, said during a
panel discussion on Wednesday.

"The bench is not very deep in terms of cyber response," Painter said.

The DHS's immediate plans call for the department to work with the companies
to deter attacks, develop better response plans and build awareness in
specific industries, such as finance and power.

Its not too late to help out, Garcia said, adding that interested firms
should become familiar with the National Infrastructure Protection Plan.

"Companies that have not participated are just in time to jump in with both
feet," he told attendees.