There was a call for an integrated approach from government and enterprise to ensure online security at a recent presentation in Auckland by Dr Prescott Winter, CTO public sector, for security vendor ArcSight.
Winter cites the experience of the airline industry, which can be used towards developing a layered defence strategy for government and the private sector in the online arena.
In 100 years, the airline industry has integrated policy and process that includes international agreements and safety standards for aircraft, he says.
If you think about the airline industry, it is clear there is a whole set of principles that state very clearly what governments expect from the air industry and beyond, and those policies are then reflected in law and regulations in technical and operational standards.
The airlines understand what they have to do to pass safety inspections for their crews, for their aircraft, for their ground facilities and for the operation of the planes when off the ground. There are standards that are driven by the policies. Basically, we say we want the air environment [to be] reliable, safe and available for people to use.
We need to do the same kind of thing for the internet, says Winter, who worked in the US government defence sector before joining ArcSight (soon to be part of HP) in March this year. He worked for more than 25 years at the US National Security Agency, including positions as CIO and CTO.
In a sense, he says, the internet is available to use but is not necessarily reliable or safe.
Different governments, he says, need to sit down and think about it and come up with their descriptions of what they want to see. The next major hurdle is for governments to establish standards for protecting information in their own agencies and in large enterprises that deal with the public.
There is now a well-financed, technically-astute underground under the belly of the internet taking it into a black area and doing very well [in] taking stuff from enterprises around the world, says Winter.
He stresses their target does not have to be financial data. He cites an article by US Deputy Defence Secretary William J. Lynn III in a recent issue of Foreign Affairs magazine, on the departments new cyber-defence policy.
He talks about the fact that the loss of intellectual property (IP) is in the long run the single biggest threat here. That is not the issue most people are focusing on. There is a lot of talk about cybercrime and there is a lot of talk about loss of credit cards and public records."
Winter says there should be a more extensive focus on sensitive intellectual property. The military does, he says, because when it talks about IP, it means weapons technology, strategic plans and documents.
Sign up for CIO Asia eNewsletters.