U.S. loses ground in global cyber race

An interesting shift in this year’s McAfee report on critical infrastructure security is that the United States has gone from being the most feared nation for launching attacks to No. 3 this year, behind China and Russia.

But if China is seen as the most offensive threat, it also ranked No. 1 in defense in the report, which was released April 19.

Chinese respondents in the survey reported implementing an average of 59 percent of possible security measures in IT systems, followed by Italy and Japan at 55 and 54 percent, respectively. Brazil is at the lower end, with about 25 percent, and the United States is the middle of the pack at about 44 percent.

Related stories:

Which country is most feared as a cyber threat? Guess again.

What’s so hard about public/private partnerships?

The private sector’s relationship with government appears to have a strong positive correlation with security posture. Japan and China both reported strong interaction between the public and private sectors, with frequent government audits of security. The United Kingdom and the United States reported the least interaction between the government and private sectors.

“The report indicates a strong correlation” between government interaction and private-sector security, said Phyllis Schneck, McAfee's chief technology officer. But “it is not quite clear what that relationship should be.”

A panel of government and industry officials discussing the report agreed that the answer is not regulation, which Schneck said leads to a culture of checkbox compliance rather than real security.

A number of cybersecurity bills have been introduced in Congress, and Kevin Gronberg, senior counsel to the House Homeland Security Committee, said comprehensive cybersecurity legislation is in the works in the committee, although he could not give a timeline for action on it. However, he warned that “passing comprehensive cybersecurity legislation will not end the debate on cybersecurity, nor should it.”

Gronberg said some changes are likely to be necessary to enable the Homeland Security Department to effectively carry out its responsibilities for ensuring the safety of civilian government and private-sector systems.

“DHS has probably done as much as it can do within the authority it now has,” he said. But he added, “I’m very concerned about a compliance regime being put on top of things.”

The release of McAfee’s report coincided with another security report, the 2011 Data Breach Investigations Report from Verizon, which was produced with assistance from the U.S. Secret Service and Dutch National High Tech Crime Unit.

Recommendations for improving security in both reports focused on the basics, including improved access controls and authentication, use of existing technologies such as encryption, increased oversight of access to control systems, and effective partnerships with government.

“The bad guys are not using some kind of James Bond or 'Star Trek' technology that we can’t protect ourselves against,” said David Ostertag, a global investigations manager at Verizon and a contributor to the report. “We know the attacks, and we know the protection. If you practice good basic security, you can protect yourself.”