|
Frequently
Asked Questions: National Cyber Security Partnership
What
is the National Cyber Security Partnership? The
National Cyber Security Partnership (NCSP) combines representatives
from government,
industry and academia working together to harden
the nation’s cyber defenses. The partnership provides
a forum, structure and common agenda for interdisciplinary,
cross-industry
information exchange with government. Lead organizations of
the partnership are: the Business Software Alliance, Information
Technology
Association of America, TechNet and the U.S. Chamber of Commerce.
The public-private partnership was formed during the National
Cyber Security Summit on December 3, 2003, which aimed to gather
cyber
security experts across disciplines to embark on a work program
to develop recommendations for implementing key challenges
posed
in the 2003 National Strategy to Secure Cyberspace.
How
does NCSP relate to the U.S. Department of Homeland Security
or the White House National Strategy to Secure Cyberspace?
The
partnership has no formal relationship with the Department
of Homeland Security (DHS), although DHS Secretary Ridge
issued a call to action at the December Summit, and the agency
is
welcoming partnership recommendations and will consider which
recommended
initiatives it may support.
As to the National Strategy, creation of this document in
2003 was an important first step in recognizing the critical
role
of information technology in the nation’s critical infrastructure
industries and defining high-level approaches to strengthening
the security of these systems. Since the release of the strategy,
the government has initiated a sweeping reorganization of its
homeland security and cyber security agencies. The partnership
brought a
new sense of momentum to realizing the public-private partnership
envisioned in the strategy and acting on its recommendations.
Why is the partnership necessary?
The partnership was conceived as a cross-sectoral initiative
to respond to the multifaceted challenges identified in the
National Strategy. Cyber security suppliers and customers
recognize that
security is a "weakest link" issue that cuts across
industry boundaries, impacts businesses of all sizes, as well
as home users,
and requires responsible action from all stakeholders. While
several groups exist to build cyber security awareness or share
information,
no single group has the scope in terms of mandate or composition
to address the entire problem.
How is the partnership structured and why is it structured
this way?
The partnership is comprised of five task forces, with each
addressing a key challenge identified in the National Strategy:
1) Awareness
for Home Users and Small Businesses; 2) Cyber Security Early
Warning Systems; 3) Corporate Governance; 4) Technical Standards
and Common
Criteria; and 5) Security Across the Software Development
Life Cycle. These groups met for the first time at the 2003
Summit
and serve as the partnership’s primary mechanism for
moving from plan to action.
Who is managing these task forces?
The task forces are managed by the lead organizations of
the partnership: the Business Software Alliance (Software
Task
Force); Information
Technology Association of America (Early Warning Task Force);
TechNet (Corporate Governance and Technical Standards task
forces); and
the U.S. Chamber of Commerce (Public Awareness Task Force).
The management of these task forces is primarily a secretariat
function;
the task force memberships — on average, about 25 to 30 people
each — provide the substantive expertise to task force
recommendations.
What are the major activities of the partnership?
Partnership task forces have met numerous times during the
first quarter of 2004 to pursue the goals and objectives
formulated at
the December Summit. Each task force has prepared a series
of recommendations, available on the partnership website
at www.cyberpartnership.org.
The partnership task forces on Awareness and Early Warning
released their recommendations on March 17, 2004. Other task
forces will
release their recommendations later in March and in April.
What are the most significant recommendations of the partnership?
A brief synopsis of the recommendations, activities and deliverables
of the Awareness and Early Warning task forces follows:
Awareness: Developed a Small Business Guidebook to Cyber
Security for small businesses and made available, for free,
a Cyber
Risk Profiler with cyber scoring — technology to assist
small businesses in identifying and managing their cyber risk.
Created
outreach relationships to vertical industries, government agencies,
educators and other key stakeholders.
Early Warning: Proposed creation of a National Early Warning
Contact Network (EWAN). Designed to bolster early warning
information-sharing about cyber security vulnerabilities,
threats and incidents
within
and across industries, EWAN would be a multi-channel communications
network involving new and existing information sharing networks,
initially housed at US-CERT and implemented by late fall
2004.
Proposed development of a National Crisis Coordination Center
(NCCC). A physical structure staffed by critical infrastructure-sector
experts, as well as representatives from federal, state and
local
government, the NCCC would provide large-scale cyber and
physical security crisis coordination operations, effective
in 2006.
*
The partnership task forces on Corporate Governance, Technical
Standards and Software Development will release their recommendations
later in March and in April.*
How
will the recommendations of the partnership be implemented?
Implementation strategies vary by recommendation. Some
involve a better rationalization of existing resources.
Others involve
voluntary adoption by industry. Still others require
government endorsement and funding.
How is the partnership funded?
The partnership is based on the voluntary, in-kind contribution
of services by the principal trade associations and participating
companies.
How will specific partnership initiatives be funded?
Will government money be required?
Partnership activity will continue to be based on the
in-kind model. In certain instances, such as the creation
of the
National Crisis
Coordination Center, government will be asked to contribute
substantially to the necessary funding.
If these recommendations were implemented,
would the nation’s
cyber security problems be solved?
Like most risks in life, cyber security risks can be
mitigated, but not completely eliminated. The nature
of the threat
is constantly evolving. Not all companies and institutions
will
share the same
level of commitment to protecting their cyber-dependent
resources from attack. A certain percentage of home users
will remain
uninformed about online security best practices. The
partnership believes,
however, that widespread adoption of its recommendations
will substantially reduce the nation’s cyber security vulnerability.
Does the partnership recommend a stronger role for government
in mandating cyber security?
The partnership believes that government must remain
a strong advocate for heightened cyber security and must
demonstrate
leadership in
this area by raising its own cyber security profile.
The
partnership advocates increased spending by government
agencies to put
in place the appropriate people, processes and technologies
to accomplish
this purpose. The partnership believes that attempts
by government to legislate or regulate cyber security
would
be counterproductive,
creating a "least common denominator" for cyber security
practitioners and doing little to stop those intent on wrongfully
hacking into systems.
What gives these recommendations real teeth?
Industry must take proactive steps to demonstrate its
commitment to making substantial improvements in this
area. Failure
by the partnership to carry through on its recommendations
or
by companies
to adopt them will open the door for greater government
involvement.
Will the partnership dissolve after this rollout?
The partnership will continue its activities into the
foreseeable future. While certain recommendations may
be proposed,
pursued and accomplished, other requirements may be identified
and
new task forces assembled. The partnership has been highly
effective
in pulling together technology and policy experts from
a wide range of organizations, and its effectiveness
at consensus-building
will
continue to be emphasized.
|