Feds Say Ciao to Father of the CIAO

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-91_STO56349,00.html

[This one slipped past me, Any clue where Hunker is headed next?  -WK]

By DAN VERTON
January 15, 2001

When the Clinton administration leaves office this week, the federal
government will say goodbye to one of the national security
community's premiere experts on cybersecurity policy.  On Jan. 20,
Jeffrey Hunker, the senior director for critical infrastructure
protection at the National Security Council, will end a seven-year
stint in public service.

What started as a serendipitous move into a senior policy advisory
role under Secretary of Commerce Ron Brown in 1993 soon led to an
assignment to create a new national security organization that would
be at the forefront of the nation's cyberdefenses. In 1998, that
organization became known as the Critical Infrastructure Assurance
Office (CIAO).

Computerworld's Dan Verton recently sat down with Hunker in his office
in the Old Executive Office Building adjacent to the White House.
Here's what Hunker had to say about the future of the national effort
to protect cyberspace.


Q. What should the Bush administration do differently to make the
critical infrastructure protection effort more effective?

A. Part of the challenge is going to be working to educate Congress,
ensuring there is budget responsibility and accountability within the
executive branch and, equally important, actively working with the
insurance and audit industries to integrate the issue of cybersecurity
into the corporate risk management framework.

One of the biggest shortcomings in security right now is that there is
no commonly accepted set of best practices. One of the things that the
federal government should do is adopt a set of defined network
security best practices - not just on paper, because there is plenty
of guidance. They should then encourage their adoption in the private
sector as well. If we do that, it would help jump-start the insurance
market as well.

Also, we have virtually no pipeline producing trained cybersecurity
experts at this point. Addressing the nationwide shortage of those
people needs to be done very close to the top of the next
administration.


Q. What have you learned about the government/industry partnership?

A: I'm struck by how new and challenging the issue of cybersecurity
is. The government is not organized to deal with a crosscutting issue
like this.

Many of the approaches to developing partnerships don't exist, and you
have to build them from scratch. I've also learned that it takes a
long time to build an operating partnership with the private sector.


Q. What are some of the most significant issues in security that the
new administration will face?

A: I look at developing a legal structure as perhaps one of the most
important foundational elements to the future of cybersecurity.

For example, while there are reconstitution authorities that the
federal government uses whenever we have an earthquake or a hurricane,
there's substantial controversy about whether the federal government
in fact has legal authority to provide reconstitution support in the
event of a cyberfailure.

Likewise, we don't have a legal structure that can determine how you
assign liability for network failures.

We also need to formalize at the highest levels of the government the
working partnership between government and corporate executives.

We need to formalize the National Infrastructure Assurance Council and
start having meetings between corporate CEOs and the president on this
issue. It's time that we bumped it up to a president-and-CEO issue.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".