John M. Jack, president and CEO with Fortify Software Inc. in San Mateo, California

Question: What can government learn from the private sector about protecting Web sites, databases, transportation nodes and the electrical grid from attacks by hackers, criminals and others bent on spying and harm?

Jack: If the world’s largest banks and most advanced military organizations are losing terabytes of confidential data, then only the most foolhardy would assume their secrets are safe with the current cybersecurity strategies and technologies. The government clearly needs to follow the private sector by focusing on proactively improving security rather than simply blocking attacks. Vulnerabilities are everywhere. Identifying and removing them before a hacker strikes will ensure that the government prevents outside countries and criminal groups from stealing valuable information.

Q: From your vantage point, what steps need to be taken now to bolster or create public-private partnerships on cybersecurity?

Jack: I am not sure that the government needs to forge a radical set of partnerships, à la our space program in the 1960s. Today, all the capabilities that any business needs to operate securely in cyberspace are already in place. Government simply needs to encourage organizations to take responsibility for security and deploy these capabilities. It also should put policies and regulations in place that mandate minimum requirements businesses must meet to operate in cyberspace — just as we have policies and regulations that ensure the safety of our food supply.

Ashar Aziz, founder and CEO with FireEye Inc. in Milpitas, California

Question: What can government learn from the private sector about protecting Web sites, databases, transportation nodes and the electrical grid from attacks by hackers, criminals and others bent on spying and harm?

Aziz: The government and private industry must first acknowledge that cybercriminals have successfully penetrated all traditional security software and gateways, as witnessed by the widespread takeover of U.S. computing infrastructure, both in private sector and government networks. Only then can we begin to work together to share practices that actually increase cybersecurity. Government can learn from the private-sector experience that piecing together disparate technologies leaves gaping holes in security, so a technologically coordinated system needs to be developed. A national cybersecurity system akin to NORAD [the North American Aerospace Defense Command] is needed to deter, detect and defend U.S. cyberspace.

Q: From your vantage point, what steps need to be taken now to bolster or create public-private partnerships on cybersecurity?

Aziz: It is imperative that the government undertakes significant and comprehensive actions in light of existing “on-the-ground” realities. First, Cabinet-level leadership is needed to coordinate national efforts around cybersecurity. Next, a federal threat assessment is needed to [create a] baseline [measurement of] the state of national cybersecurity. The review would need to incorporate both civilian and military networks, and analyze actual stealth malware [malicious software] attacks as well as identify gaps in cybersecurity. These reviews need to be an open process and incorporate input from industry and academia. Only then could anti-malware standards be developed for government and military networks.

Q: This is a global problem, not just a U.S. issue. What has been your experience working with other international companies or governments abroad on cybersecurity issues? Are they ahead of the United States? What are the lessons learned?

Aziz: FireEye’s takedown of the Srizbi botnet [a collection of compromised computers] provided firsthand knowledge of how undercoordinated federal and international cybersecurity is currently. Criminals simply move their cyberoperations from country to country to evade law enforcement. FireEye’s work with ISPs [Internet service providers] worldwide could be more efficient with a national cybersecurity agency. [South] Korea is ahead, having established the Korea Internet & Security Agency [KISA] “to react to such threats properly at the national level, and [with] integrated and systematic information security services.” A nation-scale, real-time situational awareness infrastructure would be a good first step for the United States to engage in the international fight against cybercrime. [For more about White House cybersecurity plans, see “Keeping America’s cyber infrastructure secure” on America.gov and “Obama: Nation Needs a ‘Cyber Czar’” on YouTube.com.]

Peggy Canale, government industry segment executive with Avocent Corporation in Huntsville, Alabama

Question: What can government learn from the private sector about protecting Web sites, databases, transportation nodes and the electrical grid from attacks by hackers, criminals and others bent on spying and harm?

Canale: Organizations must ensure that sensitive company data is protected with the most advanced solutions available, by implementing a proactive “layered” security strategy. Taking a layered approach means that government agencies and enterprises need to both expand and consolidate their security efforts to cover all bases. Elements of this policy should include asset discovery and inventory, patch [minor software modifications] management, malware [malicious software] protection, vulnerability detection and mediation, network access control, data-loss prevention and security-status tracking and reporting.

Q: From your vantage point, what steps need to be taken now to bolster or create public-private partnerships on cybersecurity?

Canale: Avocent was fortunate that 10 years ago a federal agency was impressed with our commercial product line and asked if we could make changes to meet the needs of the intelligence community and DOD [the Department of Defense]. We did. As a result we now have a line of products called the Secure KVM Switch and long-term relationships that have enabled us to innovate and grow while providing measureable value to our customers. The key to our agility is collaboration. To bolster public-private partnerships we have to have leadership and purpose as well as a shared responsibility in the success of our partnership.

Q: This is a global problem, not just a U.S. issue. What has been your experience working with other international companies or governments abroad on cybersecurity issues? Are they ahead of the United States? What are the lessons learned?

Canale: We are unique in that we provide both hardware and software solutions globally to private-sector companies and to the public sector. In our government business line we have seen the United States take the lead on cybersecurity of assets and networks dealing with national security, but we are also starting to see ongoing needs to standardize in the areas of protection of critical infrastructure like energy grids and refineries.

Arthur W. Coviello, Jr., executive vice president with EMC Corporation in Hopkinton, Massachusetts, and president of RSA, the security division of EMC, in Bedford, Mass.

Question: What can government learn from the private sector about protecting Web sites, databases, transportation nodes and the electrical grid from attacks by hackers, criminals and others bent on spying and harm?

Coviello: An area where the private sector is applying concentrated focus is in information sharing and collaboration to identify and shut down specific vulnerabilities. RSA manages something called the eFraud network where, working with major financial institutions and big ISPs [Internet service providers], we can shut down a phishing site [a site masquerading as a trustworthy entity to acquire sensitive information] in real-time. Traceability is key in addressing the challenges of cybersecurity and governments need to follow suit, cooperating with country ISPs to track down cybercriminals rather than spending their energies endlessly debating frameworks.

It also makes sense for governments to provide incentives to build security controls into new infrastructure from the start, such as the smart grid for transmission of electrical power. Making the investment to address security, espionage and cybersecurity concerns up front is cheaper and positions us better for the future.

Q: From your vantage point, what steps need to be taken now to bolster or create public-private partnerships on cybersecurity?

Coviello: First, government and industry need to recognize their mutual dependence when it comes to addressing the challenges of cybersecurity. Governments can and must demand that private industry self-regulate. But they need to be less prescriptive in their guidance, focusing on outcomes and aligning to a strong information risk management model that balances risk and reward and does not needlessly harm American competitiveness and innovation.
Second, too much government information is classified. The government needs to be less secretive and more open in how it’s sharing sensitive information. It works the other way, too. Owners and operators of critical infrastructures are out there seeing a lot in the wild; the government should receive that information from industry and act on it.

Q: This is a global problem, not just a U.S. issue. What has been your experience working with other international companies or governments abroad on cybersecurity issues? Are they ahead of the United States? What are the lessons learned?

Coviello: This absolutely is a global challenge. If we’re not developing a strategy based on public-private partnership that is international in scope, we’ll fail to make improvements in cybersecurity. As I talk with government and private sector leaders around the world, it’s clear to me more governments are prioritizing cybersecurity as a national and economic security issue. It’s also clear that attacks are increasing, some for financial reasons (intellectual property theft) and some related to espionage. … Look at the problem of international piracy on the open seas. [See Combating Piracy.] Nations are coming together to address these assaults on commerce and civil society and the laws of the sea. The same has to happen in cyberspace.

John Stewart, chief security officer with Cisco Systems Inc. in San Jose, California

Question: What can government learn from the private sector about protecting Web sites, databases, transportation nodes and the electrical grid from attacks by hackers, criminals and others bent on spying and harm?

Stewart: Both the government and private industry are determined to protect their systems, and the faster we get to effective answers, the better. Now is the time we need to help one another the most, and if the private sector has solved a problem the government is facing, then why not use it? This is not about technology alone. How government approaches public policy, standards and solutions can both solve and create problems — an unintended consequence. In many cases, the private sector owns and operates critical infrastructure networks, so let’s make sure we are equal partners in keeping them safe. [For more about what the President is saying, see “Proclamation on National Cybersecurity Awareness Month.”]

Q: From your vantage point, what steps need to be taken now to bolster or create public-private partnerships on cybersecurity?

Stewart: Both the public and private sectors require executive leadership with the authority to commit resources, and operational experts with the knowledge and training to prepare for, analyze and respond to threats. We need meaningful results in information sharing. We need for reasonable people to discuss and disagree, and yet reach a common ground. We need decisionmaking based on what the data tells us and to understand and manage risk effectively. And most notably, we need a sense of urgency by both sectors to understand the challenges we face and work together to ensure the United States and its constituents are safe.

Q: This is a global problem, not just a U.S. issue. What has been your experience working with other international companies or governments abroad on cybersecurity issues? Are they ahead of the United States? What are the lessons learned?

Stewart: Almost all governments aim to protect their citizens. Most large U.S.-based IT [information technology] companies are international enterprises. The result? Multinational companies talking to many different governments trying to identify complex and challenging issues. The United States certainly has robust public-private partnerships, and it needs to enhance global alerts and warnings more than exists today. Cyberattacks can circle the globe in a matter of minutes. There’s no time for international negotiations after an incident, so cooperative legal and technical relationships must be established and nurtured well in advance. These aren’t easy challenges, and that is why we must work on them together.