State and local governments need better risk management processes for disasters, including cyberattacks, according to Andy Purdy, acting director of the National Cyber Security Division during the George W. Bush administration. Governments at all levels need be more proactive to prevent infiltration, Purdy said in an interview with Government Technology magazine.
Purdy, now the chief cybersecurity strategist at Computer Sciences Corp., said that federal, state, local and private groups need more preventive planning to safeguard their data.
Purdy is a former member of both the U.S. Department of Homeland Security and the White House team that drafted the National Strategy to Secure Cyberspace.
State and local decision-makers should ask questions that lead to assessments, Purdy said. “They need to have some idea of — and this deals with physical and cyber — what’s the risk profile. What do they need to do about it?” he said.
Comprehensive risk management was one of four strategic national priorities that Purdy outlined for improved national cybersecurity. All involve public-private collaboration:
1. Assess risk and prioritize measures to mitigate risks to government systems.
2. Create cyber-preparedness protocols and situational awareness for critical infrastructure.
3. Delineate response actions.
4. Continue research and development to ensure that everyone involved has the best actionable intelligence.
Purdy’s perspective comes on the heels of FBI Executive Assistant Director Shawn Henry’s grim statement last month in The Wall Street Journal about America’s ability to protect corporate data from cybercriminals. “We’re not winning,” Henry said.
The companies tied to the nation’s critical infrastructure, including the electric and nuclear industries, need to overhaul the way they use technology to be more defensible, Henry explained. “I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' Henry told the Journal.
When Purdy spoke to Government Technology, he said the strategic priorities he spelled out hadn’t been done yet, though some strides had been made. The federal government’s National Infrastructure Protection Plan, for example, is a document outlining steps for securing America’s critical infrastructure, and the Obama administration’s Cyberspace Policy Review aimed to assess America’s cybersecurity policies and network.
But neither these nor other projects like them have led to the detailed, comprehensive information sharing Purdy said he believes is crucial.
“In the case of information sharing, we haven’t really said, ‘What’s the information we need from home? What are the obstacles to get it? How do we need to get it? How do we need to bring it together to share it and analyze it to make sure it can get out there?’” Purdy said.
Of course, information sharing is being done in state and local government, evidenced by the presence of multistate ISACs — such as the Multi-State Information Sharing and Analysis Center run by the Center for Internet Security. But a coordinated, long-term effort could work wonders, Purdy said.
Purdy suggested that data sharing has been done in a piecemeal fashion, with no real barometers to gauge how much should be done or when enough’s enough.
“You can’t just say, ‘OK, we’ve got a few people sharing. Now let’s get a few more sharing.’ You can do that, but you don’t have any idea of when you get to the point that you have adequate information or to the point that you need to do extra things to get the information you’re missing,” Purdy said.
But the U.S. hasn’t approached large-scale information sharing from a strategic, program management perspective. And information sharing involves public-private cooperation, but some private companies hesitate sharing because they’re concerned about their liability if they do so.
“We have to take away those obstacles, real or perceived or professed, so that we can make sure that we maximize the chances of getting the information we need,” Purdy said. “There has to be a better understanding of, ‘Let’s evaluate the kinds of alert and warning information that’s coming from the government and the ISAC so we can have folks assess the quality of our situational awareness.’”