IT industry's 12-point cyber-security plan

The Cyber Security Industry Alliance (CSIA), a consultative body of computer security professionals, yesterday published a 12-point list for securing America's IT infrastructure.

The list includes ratifying the Council of Europe's Convention on Cybercrime, strengthening security certifications and leading by example in government procurement.

A special 'Emergency Co-ordination Network' should also be set up to act as a backup if national systems fail.

"The Bush administration has made significant improvements to cyber-security but there is still more that must be done to harden our economy and critical infrastructure against cyber-attacks," said Paul Kurt, executive director at the CSIA.

"The CSIA believes that the time for action is now. We have moved beyond the discussion and planning phase, and have identified concrete actions that can be taken by the administration to immediately improve the security of our nation's cyber-systems."

In an interview with vnunet.com earlier this year CSIA chairman John Thompson, also chief executive of Symantec, warned that there was still a significant job to do in securing the online world, and that, since 85 per cent of US networks are in private hands, any changes must be part of a public/private partnership.

As the CSIA was presenting its plan, IT security expert and author Bruce Schneier was warning that computer security was little help in some regards, and we should instead be concentrating on putting more human intervention into security systems.

Schneier highlighted airlines training staff to spot likely targets by behavioural profiling rather than using massive databases, calling the latter "a mess".

"The problem with computerised passenger profiling is that it simply doesn't work," he said. "Behavioural assessment profiling is different. It cuts through all those superficial profiling characteristics and centres on the person."

Schneier pointed to a programme at Logan airport in Boston which had caught 20 fugitives in the early days of its trials of behavioural modelling. He suggested that, while it is not a silver bullet, it is better than any computerised alternatives.

Cyber Security Industry Alliance points in full:

• Dedicate an assistant secretary position in the Department of Homeland Security
• Urge quick ratification of the Council of Europe's Convention on Cybercrime
• Encourage information security governance in the private sector
• Lead by example with federal procurement practices
• Close the strategic gap between government and private sector information security efforts
• Strengthen information sharing and analysis centres
• Establish and test a survivable emergency co-ordination network
• Direct a federal agency to track the costs associated with cyber-attacks
• Increase R&D funding for cyber-security
• Fund authorised responsibilities for National Institute of Standards and Technology Computer Security Division and White House Office of Management and Budget
• Strengthen the federal security certification process to improve the quality of security in software
• Direct a taskforce to develop specific actions that will secure digital control systems used by utilities.