To Improve cyber-security, U.S. needs cohesive public-private partnership.

• Author: Farrell, Lawrence P., Jr.
• Position: PRESIDENT'SPERSPECTIVE

* It has become one of the perils of everyday life on the information highway--a cyberattack.

For the Pentagon, which operates 15,000 networks and owns more than a million computers, the risks are huge. Though Defense systems are attacked constantly--5,000 times per day by some accounts, and scanned millions of times per day--these digital invasions are little reported.

Banks lose millions of dollars a year from cyberintrusions. Each bank averages one million probes per month. These too, are little reported. The banks see this as a cost of doing business, and customers pay the cost in increased user fees. Manhattan District Attorney Cyrus Vance Jr. says, "The Internet is the crime scene of the 21st Century."

For the typical PC user, the average security software package provides little insight into the true nature or danger of these attacks. And the average attack by a new virus is almost never protected by existing security software. This protection almost always comes after many computers have been infected.

For the past three decades, the Pentagon's modernization investments have been shifting from platforms to upgrades to sensors, communications and intelligence-collection enhancements--all dependent on secure, well-functioning networks. The theory is that existing platform capabilities coupled with these "information" enhancements will provide dominant capability for U.S. forces. Adequate cyber-security is an implicit assumption to this development strategy. It is, too, a critical assumption.

NDIA member companies recently put together a white paper on the necessity to better acquire and field cyber-capabilities. The paper focused first on the problems with existing processes. Currently, responsibility is highly distributed and the acquisition is unfocused.

Multiple, overlapping policy, governance execution and reporting entities in Defense, Homeland Security, the Office of the Director of National Intelligence, the Energy Department, the Federal Energy Regulatory Commission (that promulgates requirements for the electrical grid) and other federal agencies inhibit effective cyber-protection. It is piecemeal and disjointed. The U.S. government is not taking full advantage of the investment that industry has already made in cyber-security.

There has been much capability already developed, but little emphasis has been placed on reuse and redeployment. Scant credit is given in procurements for already developed and embedded...