Symantec Symposium: Assessing Challenges For Cybersecurity Policy

Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security councils, said Tuesday that success in cybersecurity would depend on collaboration between public and private sector security interests.

Speaking at Symantec's Government Symposium in Washington, D.C., Hathaway explained the different areas of the 60-day Cyberspace Policy Review and said that her team will be examining how to adjust laws and regulations that often contradict one another when it comes to cybersecurity threat response.

"We can no longer talk about the public and private partnership," Hathaway said during her lunchtime keynote address. "We have to activate it."

Hathaway, who confirmed last week that she was in the running to be the White House's first cyberspace coordinator, told Symantec attendees that President Obama was personally overseeing the selection for the position and that the Obama administration, thus far, had demonstrated an "unprecedented level" of engagement by a presidential administration with regard to cybersecurity initiatives.

She added that her team would release a comprehensive national incident response plan for cybersecurity by the end of the year.

"You can expect a dialogue on this issue with the private sector," Hathaway said. "You will also see us working with Congress because many issues will require a legislative fix."

Hathaway's insistence on a cybersecurity policy that drew on both public and private sector entities echoed a similar message from U.S. Sen. Mark Warner (D-Va.) at a keynote earlier in the day.

Much of Symantec's Government Symposium was devoted to cybersecurity challenges as they relate to legislation, the role of public sector vs. private sector interests and how security is addressed throughout various government agencies.

Symantec CEO Enrique Salem told reporters in a media roundtable at the Symposium that Symantec was continuing to follow legislative developments related to security, but cautioned against cyber policy bills that might already be too soft by the time they're passed into law.

"The challenge is that something that is reasonable today might not be reasonable five or 10 years from now," he said. "Anytime you mandate technology, that's a problem."

Salem and Symantec's Federal Government Relations Manager Kevin Richards cited to reporters such bills as the U.S. ICE Act of 2009 (S.921). Sponsored by Sen. Thomas Carper (D-Del.), the bill calls for unifying "policies, procedures and guidelines for securing information systems and national security systems, establish security standards for government-purchased products and services, and for other purposes."

Conversely, Salem said, Symantec didn't see much teeth in the Rockefeller-Snowe bill introduced by Sens. John Rockefeller (D-W.Va.) and Olympia Snowe (D-Maine) on April 1 that focuses on creating public awareness of cybersecurity issues, protecting civil liberties and "fostering innovation and creativity in cybersecurity to develop long-term solutions."

Salem also mentioned the Federal Information Security Management Act (FISMA), which he described as more of a "checklist" given that it hasn't been updated in half a decade.

"It's time for FISMA to get updated," he added. "It needs to go beyond the paper exercise and become more operationalized."

Salem and other Symantec executives said the best cybersecurity legislation will move beyond the idea of hiding information from malicious threats and instead make cybersecurity functional across the public and private sectors.

"The cyber review -- we have to get on with this with a real sense of urgency," Salem said. "Some of the key pieces of legislation are moving, but let's not wait around for the cybersecurity czar. There are things that can be done right now."

Next: Better Information Sharing

Vendors, integrators and solution providers alike echoed many of the concerns presented by Hathaway and Salem at the symposium.

"One of the biggest challenges is information sharing," said Jim Jaeger, director of cybersystems for General Dynamics Advanced Information Systems. "It's become increasingly obvious that the government can't solve security problems themselves. Sharing information has become critical. We need to provide an environment where it can be shared."

"Melissa Hathaway's remarks reinforce the importance of enhanced cooperation and coordination in securing cyberspace and compel us to action," said Craig P. Abod, president of Carahsoft, a Reston, Va.-based solution provider who attended the symposium. "Industry, academia, private citizens and the federal government must cooperate to ensure the security of our systems. Applying the right technology and policy to make that happen will be key, and Symantec is well positioned to serve in this area."

Speaking on a panel devoted to the Comprehensive National Cybersecurity Initiative, William Crowell, a security consultant and former deputy director of the National Security Agency, said creating a cybersecurity plan understood and utilized by all government agencies was one of the biggest challenges faced in public sector.

"It's going to be a huge financial drain on the country if we don't get it right," Crowell said.

Susan Alexander, chief technology officer for information and identity assurance in the Office of the Assistant Secretary of Defense for Networks and Information Integration, described meeting cybersecurity threats as changing paradigms and making agencies more proactive.

"In the past, the Department of Defense has mostly looked at things in terms of vulnerabilities," she said. "But there's been a shift toward making our systems more secure and creating an environment that protects users. That means not only protecting them but also being able to recover quickly when bad things happen."

Crowell added that the role of solution providers and integrators is crucial to comprehensive solutions.

"Integrated solutions are very important," he said. "When identifying who and what in the network can be trusted, that idea of identifying 'what' is relatively new."

Crowell recalled how, more than two decades earlier during a training exercise, he had been able to hack into the National Security Agency's database for the U.S. Navy by guessing the password -- "anchor" -- on his third try. Have things changed all that much?

"Twenty-five years later, we're still using passwords," he said. "We have pieces, and we have to put them together in a deployable solution that works, scales and meets standards."

William Vajda, a senior adviser to the Joint Interagency Cybersecurity Task Force, said people and agencies alike were starting to think differently about cybersecurity but needed to understand just how dangerous the Internet is.

"People are learning that they have to lock their doors in digital life," Vajda said. "We need to get everyone thinking about cybersecurity. Think of cassette tapes. We spent a lot of time trying to protect cassette tapes from being altered -- remember the little tab you had to pull off to make sure they weren't recorded over? Well, with CDs and then DVDs, that obliterated cassettes altogether. Folks were trying to make cassettes better, but then they were gone. There's tremendous opportunity [in security] that we haven't yet tapped is what I'm saying."

For security VARs in public sector, the best business opportunities continue to be in state and local government, suggested John McCumber, Symantec's strategic programs manager for public sector.

"That's the market: regional governments and municipalities," McCumber said. "You have to have regional channel partners to understand regional issues, and I'm counting on all of Symantec's partners to take advantage of that in this unique period in public sector."

"Symantec did an exceptional job at the symposium by connecting key executives and industry partners through organized sessions and relevant topics to the government," said Brian Strosser, vice president of enterprise data management for DLT Solutions, a Herndon, Va.-based solution provider. "Key issues such as cybersecurity, virtualization strategies, data retention and green computing were well addressed, in addition to the strategic methods of adopting these tools to improve collaboration, cost savings and information security."