Sen. Thomas Carper (D-Del.) will introduce the ICE (Information and Communications Enhancement) Act, which would make information security a federal priority and establish a Chief Information Security Officer to report directly to the president.Tomorrow,
Currently, national information security responsibilities are divided between the Department of Homeland Security, the Department of Defense, and the National Security Agency. The new National Office for Cyberspace would involve cooperation between all these agencies as well as from the private sector. Potential costs of the new office and related initiatives are as yet unknown.
Where Is Security Lacking?According to Bob Gourley, Chief Technology Officer at Crucial Point LLC and primary blogger for CTOVision.com, "We have absolute proof that the United States is vulnerable to attacks. We're fortunate that those with the greatest ability to launch an attack are those with the least reason."
Areas of federal concern span government agencies and private enterprise, from ISPs to oil and power companies.
"National security organizations are aware of the risk to our infrastructure," he said, "and our defense is currently not well coordinated."
Both Howard and Gourley named Russia and China as having coordinated cyber espionage efforts and the ability to launch attacks with the potential for costly results. And no one is overlooking the possibility of attack from extranational terrorist groups.
So, How Much Is This Going to Cost?Another unknown factor is how the costs of bolstering information security will be handled. The most severe cyber attacks, said Gourley, would likely be aimed at the U.S.'s infrastructure, especially power and oil companies. "This threat is absolutely possible," he said, "and some things that need to be done will cost money."
Will the government subsidize any information security measure in the private sector? Howard said, "It's not clear who is going to get how much of the budget, but the lack of security is costing us all as it is."
By way of example, Howard noted that 10 million people had their identities stolen in 2008; he continued that such measures can be thought of as preventative health care for information security.
Fortunately, there are relatively inexpensive steps private organizations can take to improve their security; Gourley hopes Common Audit Guideline compliance will be part of new security measures.
He also cited cloud computing and open-source software as being "less expensive and more secure" and cited certain commercially available processors as having "capabilities that information security professionals have dreamed about for years."
The Big Brother QuestionSome see the Act as indicative of sweeping changes toward government regulation of private entities and worry that unintended consequences of these changes could impact competitive, free-market enterprise.
Although the creation of a national information security office will mean more regulation, oversight, and filtering of Internet traffic, Howard said, "There is a palpable feeling of excitement about national cyber defense."
So, Who's the Lucky Fella... Or Lady?In the event that the Act is passed by Congress, we can all begin to wildly speculate as to who our first Chief Information Security Officer will be.
Gourley imagines the position will call for "an information security superstar... with the national stature of a Colin Powell, someone who can really get things done."
Howard raises the point that the need for top-level security clearance might necessitate a candidate from inside the intelligence community.