New Consortium Links IT and Physical Security

by Jacqueline Emigh

Network managers have been steadily improving their track record in IT security, just in time for a new emphasis on physical security, as a regional cyber security consortium takes off.

Network security managers in some organizations are starting to work more closely with their counterparts from the world of "physical" security. Since 9/11, for example, the State of New York has launched a "cyber security initiative" involving security specialists of both kinds, as well as other IT employees. Many government officials are now advocating this sort of "collaborative security" as a strategy for private businesses, too.

New York will now go on to spearhead a regional "cyber security consortium" with public and private representation from all ten Northeastern states, said William Pelgrin, director of the New York State Cyber Security and Critical Infrastructure Coordination Initiative, speaking at a recent meeting of the Information Technology Association of America (ITAA).

When federal government performs "gap analyses" of state cyber security policies, New York comes out on top, said Howard Schmidt, vice chairman of the President's Critical Infrastructure Program Board, during the same ITAA meeting in New York City.

"The next thing we have to do is to spread (this) across all of the other 49 states, and the territories," according to Schmidt.

'Anyone with a floppy disk and a frisbee.'
"Anyone with a floppy disk and a frisbee can now go out and write a virus, and send it out over the Internet," Schmidt noted.

Schmidt's office is now holding a series of town meetings across the US, for public input into the Bush administration's emerging draft strategy on "defending cyberspace."

When complete, the National Strategy for Defending Cyberspace will serve as a companion piece to the President's National Strategy for Homeland Security.

The main focus of the national cyberspace strategy will be "voluntary," according to Schmidt.

"(We don't want) regulations around specific industries any more than we need (them)," he said. "(We're) not in the business of the Internet or IT."

'Network security managers aren't the problem'
Still, though, companies should already be working on cross-disciplinary security plans anyway, recommended Richard Sheirer, former NY City Commissioner of Emergency Management , speaking at the New York eComm Association's recent Security & Defense Forum.

"Most companies aren't doing so, but network security (managers) aren't the problem," Sheirer elaborated, during an interview later. "IT people usually tend to be collaborative." Sheirer is now managing director of Giuliani Partners, a consultancy established by former NY Mayor Richard Giuliani.

Other speakers at the NY eComm Association's forum also urged private companies to be more proactive. "Whether you're in government (or not), at what capability are you prepared?" asked Dale Watson, principal in Booz Allen Hamilton's Global Strategic Security Practice, and former director and chief of counterterrorism and counterintelligence at the FBI.

IT and physical security should complement each other, suggested Dr. Stephen Flynn, senior fellow for national security studies and the Jeane J. Kirkpatrick Chair in National Security at the US Council on Foreign Relations.

"We are about to engage a ruthless enemy," Flynn told the forum attendees. "(But) we've had openness as our mantra."

According to Flynn, the US effectively imposed an economic blockade against itself by closing all its ports when 9/11 struck.

"The only tool (was) an 'off' switch," Flynn contended "Technology is going to be key."

Joseph R. Rosetti, president of Safir Rosetti, and former vice chairman, Kroll, pointed to several emerging technologies that might help out in the physical space, including biometrics, "smart doors," and RF tagging for container shipments.

'Protection and detection'
According to New York State's Pelgrin, "response" and "recovery" are the two aspects of security that have traditionally gotten the most attention.

Under the administration of Governor George Pataki, though, New York State began focusing on "protection" and "detection" back in 1996, with activities that included public awareness campaigns and ASICs, Pelgrin said. In 1997, the work of a state task force results in the creation of the Office for Technology (OFT), which now consists of four sections: Computing, Network, Applications, and Customer Relations.

Since 9/11, the New York State government has formalized and expanded on earlier activities by starting the Office of Public Security, the Cyber Security Task Force, and Cyber Security and Critical Infrastructure Coordination Initiative.

After serving as director of OFT for five-and-a-half years, Pelgrin was named in September of this year to head up the Cyber Security and Critical Infrastructure Coordination Initiative. The OFT and state public safety arms have been key participants in the Cyber Security Task Force, which serves under the Office of Public Security. In his new role, Pelgrin reports to the CIO of New York State.

The Cyber Security and Critical Infrastructure Coordination Initiatives emphasizes "information sharing" around cyber and physical security issues across state and local government -- and ultimately, with private industry, Pelgrin said.

At the same time, the program is abiding by state and federal privacy laws, he maintained during the ITAA lunch, the first in a series of ITAA meetings being held under the umbrella title, "Information Assurance in the States.".

Like private companies, state government also felt immediate impacts from 9/11, Pelgrin told the meeting attendees. About 2250 physical circuits were lost. "40 agencies went down."

Right after 9/11, GIS specialists in the state capital of Albany lent a hand to New York City by building 3-D maps that pinpointed any potential damage to gas mains, for instance.

Pelgrin's office later identified several priority "sectors" for cyber security, including utilities; telecom; health; finance and economy; and government and public safety. A set of "best practices for cyber security" is almost ready.

Different kettles of fish?
According to Akamai President Paul Sagan, though, network and physical security are two different animals.

"In the physical world, it's a question of 'when.' But in the IT world, 'when' is not (even) a question," Sagan told the audience at the NY eComm forum. Cyberattacks are "weekly occurrences."

Sagan acknowledged, however, that unlike their counterparts in physical security, IT security pros are not dealing with individual "point vulnerabilities" such as airplanes and buildings.

What can businesses do?
How can companies do a better job on IT security? Businesses are already rolling confidentiality and privacy protections into security, Sagan said. Now, distributed, decentralized and redundant networks need to be figured into the equation.

"Where people fail is in thinking about availability. If your network is brought down, (this will) render you unable to do electronic business."

When will companies add more network and/or physical security to their infrastructures? Just after 9/11. security vendors saw a "dramatic runup" in their stock prices, noted Brian Hayhurst, The Carlyle Group's managing director for US Ventures, also during the NY eComm Forum.

"(Security) had the potential of becoming another bubble," according to Hayhurst.

Meanwhile, though, a lot of customers are saying, "'I can't have more security. I can't pass the cost along to customers,'" Sagan said.

According to Rossetti, lack of integration between "point solutions" remains a roadblock to business spending on security. Several other speakers mentioned a "lack of standards."

Security managers are currently getting "inundated by firms with different technologies," Sheirer observed. The field, though, will "winnow out," he predicted.

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Thursday Nov 14th 2002