Business Culture Is Obstacle To Cybersecurity

To ramp up its battle against cyberterrorism, the U.S. government will make an initial investment of $10 million, according to a report in the Los Angeles Times. A White House spokesman could neither confirm nor deny the report, but regardless of the amount, it may take more than money to address the real national IT security challenge: business culture.

American companies may have to get more comfortable with sharing information on security breaches. "America has built cyberspace, and America must now defend its cyberspace," Richard Clarke, President Bush's special adviser for cyberspace security, said in a statement. "But it can only do that in partnership with industry."

Mary Culnan, professor of management and information technology at Bentley College in Waltham, Mass., and former member of President Clinton's Commission on Critical Infrastructure Protection, agrees. Culnan says something must be done to help companies overcome their fear that public awareness of vulnerabilities will cause customers to lose confidence. "The private sector doesn't want to call law enforcement when something happens. They don't want yellow crime-scene tape around their systems," she says. "The government will have to work very hard to develop a sense of trust."

To help foster an exchange of sensitive information, Congress is considering the Critical Infrastructure Information Security Act. Sponsored by Sen. John Kyle, R-Ariz., and Sen. Robert Bennett, R-Utah, the legislation would encourage businesses to share security data with the government by protecting that information from public disclosure. The legislation also would facilitate the sharing of security data between companies by eliminating antitrust restrictions that could prevent such exchanges.

Darrel Sisson, senior programmer/analyst for manufacturer PHB Inc., doubts if U.S cybersecurity is an attainable goal. "Too many companies are running way too many different brands and versions of software to be tracked successfully, especially when you consider how many of these versions or releases have been modified by the end users," he says. "The best I can see happening is best-practice recommendations from the government for dissemination to the public."

The speed of change will be the biggest problem for Clarke's cybersecurity office, Sisson says. "Private companies employ thousands and thousands of programmers to write their software," he says. "Does the government plan to do the same--that is, hire thousands and thousands of programmers to research software at all levels of the government and private industry? That would be a daunting process, at the very least."