[ISN] Yoran: Locals must lead IT security

[InfoSec News]

http://www.fcw.com/geb/articles/2004/0426/web-secure-04-29-04.asp

By Diane Frank 
April 29, 2004  

Local officials must take the lead in securing the information 
infrastructure within their jurisdictions, but the Homeland Security 
Department is standing by ready to help, according to Amit Yoran, 
director of the department's National Cyber Security Division.

Cybersecurity is still several steps behind physical security when it
comes to the attention and priority of officials at all levels of
government, officials stressed at the midyear conference of the
National Association of State Chief Information Officers in Chicago.  
One of the most worrying examples of this is the lack of mention of
information infrastructure in grants guidance from DHS' Office of
Domestic Preparedness, said Randy Potts, the chief information
security officer for Nevada.

"It has been all about boots and suits for a very long time," agreed
Aldona Valicenti, the former president of NASCIO and CIO of Kentucky,
now with Oracle Corp. She urged Yoran to use his and other's political
influence to make cybersecurity more visible in the official language
and requirements for homeland security at the federal level.

Some states are already putting cybersecurity among the top issues on
their homeland security lists. Indiana has created three task forces
for particularly urgent areas within the state: agriculture,
transportation and cybersecurity.

The cybersecurity task force has taken a bit longer than the others to
get off the ground because of confusion over where the industry
viewpoint fits in, said Clifford Ong, homeland security director for
Indiana. "We haven't really defined the population or what it is we
want to try to do," he said.

However, the state has already dedicated $1 million to an intrusion
detection system for all of the state's information networks while the
task force gets going, Ong said. The guidance for passing on federal
homeland security grant funding to local jurisdictions also includes a
requirement that cybersecurity must be involved in the solution, he
said.

At the federal level, the NCSD and its parent organization, the
Information Analysis and Infrastructure Protection Directorate, are
doing what they can to make sure that the physical experts are also
thinking about the cyber vulnerabilities and consequences, Yoran said.

Exercises seem to be one of the best ways to foster this type of
broader understanding, said Stuart McKee, CIO for the state of
Washington. The TopOff exercise conducted in part of that state last
year significantly changed the perspective of many officials about the
importance of cybersecurity, and that change has lasted, he said.

There are further exercises planed - DHS just announced TopOff 3 will
take place in April 2005 - but even for smaller-scale exercises the
division is working with the rest of the department "to make sure that
noncyber exercises incorporate or include some form of cybersecurity
thinking," Yoran said.

The department's resources and expertise in local issues are limited,
but Yoran said he would love to do regional or local exercises. The
key will be for officials at the state and local levels to get the
ball rolling, determine what their needs are and what they want to get
out of the exercise, and then DHS "would be happy to participate," he
said.