TORONTO – Canadian public sector security experts who assume the Americans are on top of potential IT threats may be in for a nasty surprise, a former official with the U.S. Department of Homeland Security warned the InfoSecurity Canada crowd on Wednesday.
Al Purdy, now principal of DRA Enterprises Inc. but who helped draft the United States’ cyber-security policy, described an often frustrating and dysfunctional culture in the U.S. government that could leave major regions and infrastructure exposed to devastating denial of service, botnet or other attacks.
“The lack of ability to lead and take action is just shocking and unbelievable,” said Purdy, stressing the need to plot out possible areas of vulnerability and preventative measures. “If Korea was for some reason to attack Japan, or if China wanted to invade Taiwan, there is a real danger of cyber attacks against the command and control centres of their allies…there are 15 attack scenarios in the U.S. that no one is doing squat with.”
After the terrorist attacks of Sept. 11, 2001, there was supposed to be a paradigm shift from a threat-based, reactive approach to IT security to risk-based, proactive approaches, Purdy said. Despite releasing the cyber-security policy in 2003, however, he said that hasn’t really happened. In particular there is a belief that first-responder agencies are prepared to deal with almost any kind of disaster, and those in leadership often don’t understand IT risks, Purdy said.
“The one thing that is certain is that (in the event of a cyber-attack) someone is going to get blamed,” he told the InfoSecurity Canada crowd. “In my three and a half years at DHS, I was charged with trying to help keep America safe, and I wanted to cover my ass doing it.”
Purdy said Canada and the U.S. have to start working more closely together with governments in other countries to create a more collaborative way of tackling cyber-security problems. That’s one of the reasons he and some colleagues are trying to create an international centre that will focus on these issues.
“There is an appalling lack of coordination internationally,” he said. “You can’t just sit there and say, ‘We’ll do something when there’s a digital Pearl Harbour.”
One of the problems with cyber-security, according to Purdy, is that the risks are real but not always visible and obvious, and at least in the U.S., budgets for IT risk mitigation is only one part of the overall Homeland Security spend and has to go through a number of approval channels, including Congress.
The most likely way to address some of the risks is a public-private sector collaboration based on an established risk management framework, Purdy said. This is one of the drivers behind a recent move by the IT Governance Institute, best known for developing Control Objectives for Information and related technology, or COBIT, to start work on a risk management framework later this year.
Urs Fisher, head of IT and risk management at SwissLife Group, is leading a steering committee that is developing the framework. While COBIT does contain some discussion of risk management, he said in a recent interview that ITGI realized that it needed to provide more depth and guidance as technology professionals struggle with issues around compliance with regulations such as Basel II. That said, those who are already in the process of adopting COBIT should not see the risk management framework as another big project to take on.
“It’s more of an add-on (to COBIT) than a new one,” he said, adding that the risk register is only one element of a more comprehensive education about risk. “It’s not a checklist. It’s more about the way you should do risk management.”
Purdy pointed to COBIT as a good example of a risk management framework that could be adopted by governments.
InfoSecurity Canada 2008 wraps up Thursday.