Flanked by two senior officials from the US Department of Homeland Security, Amit Yoran, the newly appointed director of the National Cyber Security Division in the US, made his first major policy address since joining the department less than three months ago.
The former director for vulnerability assessment at the Defense Department’s Computer Emergency Response Team and former vice president for worldwide managed security services at Symantec made his much-anticipated remarks at the inaugural DHS National Cyber Security Summit.
If there was a central theme it was the need to create a sense of urgency, to start taking action on tough issues facing cybersecurity at all levels of society, and to begin to think differently about future threats to the nation.
Yoran said the nation could be witnessing “just the beginning of what could become a critical national weakness”.
He compared the IT community’s perception of future cyberterrorist threats to the early days of military air power, when most military thinkers dismissed the use of air power in war as ineffective.
“We need to be thinking about how today’s advances in cyberspace can be turned against us,” said Yoran.
Even though most cyberattacks have so far proved unsophisticated and have been predominantly criminal in nature, “We cannot count on that forever or even for long,” Yoran said. He was referring to the threat of terrorist-sponsored, coordinated attacks on critical infrastructures.
There was an air of tension at the summit, stemming from a Computerworld US report that raised questions about the motivations and role of the various IT vendor associations that sponsored the event, which was flatly denied by Yoran.
He also acknowledged the lack of critical infrastructure operators and other end-user companies attending the summit. Only eight such companies were among the 334 registered attendees. But he said he and others from DHS would be meeting with those organisations in the coming weeks and months.
If there was one issue the DHS did not have a satisfactory answer for — at least as far as the reporters present were concerned — it was the issue of whether the reporting of cybersecurity incidents should be made mandatory.