The National Academies Press

Currently Skimming:

4 What Can Be Done Now?
Pages 97-105

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 97... ... Short-Term Recommendation 1: The nation should develop a program that focuses on the communications and computing needs of emergency responders. Such a program would have two essential functions: � Ensuring that authoritative current-knowledge expertise and support regarding information technology are available to emergency-response agencies prior to and during emergencies, including terrorist attacks. Read the entire page →
From page 98... ... In the short term, a practical option for providing emergency operational support would be to exploit IT expertise in the private sector, much as the armed services draw on the private sector (National Guard and reserve forces) to augment activeduty forces during emergencies. Read the entire page →
From page 99... ... Short-Term Recommendation 2: The nation should promote the use of best practices in information and network security in all relevant public agencies and private organizations. Nearly all organizations, whether in government or the private sector, could do much better with respect to information and network security than they do today, simply by exploiting what is already known about that subject today, as discussed at length in Cybersecurity Today and Tomorrow: Pay Now or Pay Later.2 Users of IT, vendors in the IT sector, and makers of public policy can all take security-enhancing actions. Read the entire page →
From page 100... ... Individual organizations can and should: � Establish and provide adequate resources to an internal entity with responsibility for providing direct defensive operational support to system administrators throughout the organization .... To serve as the focal point for operational change, such an entity must have the authority as well as a person in charge to force corrective action. Read the entire page →
From page 101... ... 2002. Information Technology Research, Innovation, and E-Government. Read the entire page →
From page 102... ... 102 INFORMATION TECHNOLOGY FOR COUNTERTERRORISM As for the private sector, there is today no clear locus of responsibility within government to undertake the "promotion" of security across the private sector, because neither information and network security in the private sector nor IT products and services are subject today to direct government regulation.7 This will not necessarily always be true, but for 7In this context, '~direct regulation,, is taken to mean government-issued mandates about what the private sector must do with respect to cybersecurity. Read the entire page →
From page 103... ... IT sales to the government are a small fraction of the IT sector's overall revenue, and because IT purchasers are generally unwilling to acquire security features at the expense of performance or ease of use, IT vendors have little incentive to include security features at the behest of government alone. Indeed, it is likely Read the entire page →
From page 104... ... Other policy responses to the failure of existing incentives to cause the market to respond adequately to the security challenge are more controversial. If the market were succeeding, there would be a significant private sector demand for more security in IT products, and various IT vendors would emphasize their security functionality as a competitive advantage and product differentiator, much as additional functionality and faster performance are featured today. Read the entire page →
From page 105... ... WHAT CAN BE DONE NOW? 105 � Mandatory reporting of security breaches that could threaten critical societal functions;~� � Changing accounting procedures to require sanitized summaries of information-security problems and vulnerabilities to be made public in shareholder reports; and � Encouraging insurance companies to grant preferential rates to companies whose IT operations are regarded as meeting certain security standards of practice. Read the entire page →

From page 97...

... Short-Term Recommendation 1: The nation should develop a program that focuses on the communications and computing needs of emergency responders. Such a program would have two essential functions: � Ensuring that authoritative current-knowledge expertise and support regarding information technology are available to emergency-response agencies prior to and during emergencies, including terrorist attacks.

Read the entire page →

From page 98...

... In the short term, a practical option for providing emergency operational support would be to exploit IT expertise in the private sector, much as the armed services draw on the private sector (National Guard and reserve forces) to augment activeduty forces during emergencies.

Read the entire page →

From page 99...

... Short-Term Recommendation 2: The nation should promote the use of best practices in information and network security in all relevant public agencies and private organizations. Nearly all organizations, whether in government or the private sector, could do much better with respect to information and network security than they do today, simply by exploiting what is already known about that subject today, as discussed at length in Cybersecurity Today and Tomorrow: Pay Now or Pay Later.2 Users of IT, vendors in the IT sector, and makers of public policy can all take security-enhancing actions.

Read the entire page →

From page 100...

... Individual organizations can and should: � Establish and provide adequate resources to an internal entity with responsibility for providing direct defensive operational support to system administrators throughout the organization .... To serve as the focal point for operational change, such an entity must have the authority as well as a person in charge to force corrective action.

Read the entire page →

From page 101...

... 2002. Information Technology Research, Innovation, and E-Government.

Read the entire page →

From page 102...

... 102 INFORMATION TECHNOLOGY FOR COUNTERTERRORISM As for the private sector, there is today no clear locus of responsibility within government to undertake the "promotion" of security across the private sector, because neither information and network security in the private sector nor IT products and services are subject today to direct government regulation.7 This will not necessarily always be true, but for 7In this context, '~direct regulation,, is taken to mean government-issued mandates about what the private sector must do with respect to cybersecurity.

Read the entire page →

From page 103...

... IT sales to the government are a small fraction of the IT sector's overall revenue, and because IT purchasers are generally unwilling to acquire security features at the expense of performance or ease of use, IT vendors have little incentive to include security features at the behest of government alone. Indeed, it is likely

Read the entire page →

From page 104...

... Other policy responses to the failure of existing incentives to cause the market to respond adequately to the security challenge are more controversial. If the market were succeeding, there would be a significant private sector demand for more security in IT products, and various IT vendors would emphasize their security functionality as a competitive advantage and product differentiator, much as additional functionality and faster performance are featured today.

Read the entire page →

From page 105...

... WHAT CAN BE DONE NOW? 105 � Mandatory reporting of security breaches that could threaten critical societal functions;~� � Changing accounting procedures to require sanitized summaries of information-security problems and vulnerabilities to be made public in shareholder reports; and � Encouraging insurance companies to grant preferential rates to companies whose IT operations are regarded as meeting certain security standards of practice.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

4 What Can Be Done Now? Pages 97-105

4 What Can Be Done Now?
Pages 97-105