The changing of the cybersecurity guard at the US Department of Homeland Security (DHS), coupled with complacency on the part of some corporate executives, has put a higher premium on information-sharing and cooperation between the private sector and the government.
"The two words to focus on are cooperation and coordination," said Richard Davidson, CEO of Omaha-based Union Pacific, which combats more than 80,000 probes on its networks daily. "That all adds up to partnership and information-sharing, and that is our best form of protection during these challenging times," said Davidson, who also serves as chairman of the President's National Infrastructure Advisory Commission.
Davidson spoke last week at a US Chamber of Commerce conference in Washington that addressed the roles and responsibilities of the government and private sector in homeland security efforts.
Uncertainty stemming from the loss in recent months of critical cybersecurity leadership at the DHS could escalate into danger for private-sector companies, said Michael Hershman, president and CEO of Decision Strategies LLC, an Virginia-based security consulting firm.
Companies have started to slow down their efforts to boost security because there has been no terrorist activity recently, Hershman said.
"I'm afraid that they may be drawing back into complacency," he said. "In recent months, we've seen corporations stand back, reassess what their needs are and try to understand what the level of threat is."
But a lack of effective communication between the corporate community and government agencies has left companies trying to assess their risk with little or no understanding of the threat, Hershman said.
"Corporations in America have spent billions of dollars for security, with very little cost-benefit analysis," said Hershman. He noted that the Bush administration has only added to the confusion regarding who is ultimately responsible for critical infrastructure security by assigning responsibility to industry while issuing more than 60 regulations since September 11.
The lack of order and stability in the way the government currently deals with the private sector — a situation exacerbated by the recent creation of the DHS — is of immediate concern to Michehl Gent, president of the North American Electric Reliability Council in New Jersey.
"We have a constant fight among agencies for the hearts and minds of industries," said Gent, referring to the multitude of federal agencies that regularly bombard private-sector entities with requests for security information. "DHS is supposed to do that, and I'm looking forward to them being more successful. But in the meantime, I have to keep warding off (government agencies)."
SIDEBAR: Schmidt's Departure From DHS Raises Cybersecurity Leadership Concerns
The private-sector IT security community will lose a staunch advocate in the White House on May 1 when Howard Schmidt leaves government service.
Schmidt, heir apparent to the role of chief cybersecurity adviser to the secretary of homeland security, announced last week that he plans to retire after only 17 months as vice chairman of the President's Critical Infrastructure Protection Board. Schmidt served alongside Richard Clarke, the nation's first chief cybersecurity adviser, who retired in February.
Matters of cybersecurity now fall to Robert Liscouski, a former executive at The Coca-Cola Company who was recently named assistant secretary of infrastructure protection at the DHS. His responsibilities include cybersecurity and protecting the nation's vital physical assets from attack.
The concern is that without a single individual responsible for private-sector cybersecurity, it could get lost in layers of DHS bureaucracy.
Alan Paller, director of the SANS Institute, a US security research firm, said he was saddened by Schmidt's decision to leave. "He was the one representative from industry that actually understood the way attacks are launched and what needed to be done to stop the attacks," Paller said.
David Wray, a DHS spokesman, said the department couldn't comment on what the White House may or may not do about having a single individual in the DHS who is responsible for cybersecurity. But he noted that many of the technology industry's leading companies have recognized the importance of and adopted an integrated approach to cyber and physical infrastructure security.
Schmidt downplayed the impact that his retirement will have on the government's ability to work with the private sector.
"We have to understand that this (issue) is more than just a person," Schmidt said. "Irrespective of where it is in the administration and where it is executed now, we have a clear road map and people who are empowered to make (the strategy) work."
Still, Harris Miller, president of the Information Technology Association of America, said not appointing a prominent individual to a position that is solely responsible for cybersecurity is unfortunate. "Not having someone like Howard or Dick Clarke as a special adviser to the secretary is a big error, in my estimation," said Miller.
"We're experiencing the loss of two real experts that (private) industry and the country depended on," said Larry Wortzel, an analyst at conservative think tank The Heritage Foundation and a career military intelligence officer. "I hear dissatisfaction with the model" of making one individual responsible for both cybersecurity and physical infrastructure protection, he said.