What worries you more, the threat of a major cyber incident or something physical that disrupts a significant portion...
of the Internet?
Purdy: We're trying to asses both risks so we're prepared in the event of a natural disaster, cyber incident, a physical attack or a combination. Physical security of key cyber assets is an important piece of preparedness. We see robust activity in cyberspace every day, and we have to deal with a range of sophistication among attackers. We worry about the more sophisticated attackers who can exploit vulnerabilities to steal money. They could conceivably [exploit vulnerabilities] to more directly attack the greater cyber assets.
Who has a bigger role to play in fighting those threats -- government or the private sector?
Purdy: It's difficult to say one or the other is more important. Both are essential. It's important that government have visibility in the state of affairs, raising awareness, partnering with private companies so we're ready to mitigate the greatest risks, and so we can work together if a serious cyber incident occurs. One side or the other is insufficient.
Your position has seen a lot of turnover in the last couple of years and some have complained the position lacks clout. Do you agree?
Purdy: [DHS Secretary Michael] Chertoff has made the decision that there will be a preparedness directorate, and that will improve our efforts. [Editor's note: Purdy refers to a restructuring plan Chertoff unveiled in July. Under the new chain of command, an assistant secretary of cyber and telecommunications will answer to an undersecretary for preparedness. According to the DHS's statement on the restructuring, the assistant secretary "will be responsible for identifying and assessing the vulnerability of critical telecommunications infrastructure and assets; providing timely, actionable and valuable threat information; and leading the national response to cyber and telecommunications attacks."]
The Zotob attack against the Windows Plug and Play flaw in August hit some companies hard despite the limited scope of the flaw and all the security tools available today. What does it say about our overall cybersecurity posture?
Purdy: This was an example of a known flaw for which there was an available patch. The difficulty of managing and assessing vulnerabilities and prioritizing what is patched is an ongoing challenge. Zotob demonstrated the importance of system operators installing patches in a timely manner. The need for a swift response to vulnerabilities is becoming more evident. Our software assurance program -- designed to develop more secure software and develop tools to find malicious code -- is high priority. This is a shared responsibility. It's not just about users securing things on their end. It's about software producers securing their products so flaws don't appear.
People tend to blame Microsoft for most attacks because of flaws in their software. Do you think they're doing what's necessary to address security?
Purdy: I had a lengthy meeting out in Redmond [in August]. There's no question Microsoft and others are working harder to reduce vulnerabilities. They're working in partnership with our software assurance program. They've made a lot of steps, from SP2 to the basic progression of the operating system, like the automatic update feature for XP. Some of the work they're doing with [Vista] shows a commitment to do better.
More and more users are adopting wireless technology and we've heard a lot of pros and cons about its role in cybersecurity. What are your thoughts?
Purdy: It's an example of a technology that's proliferated for convenience. You see use of it even in the third world. The appeal has been well ahead of the security. A number of vendors claim to have technology that provides real wireless security. For now though, if you have information you care about that you don't want others to have, don't use wireless. It's not robust and uniform enough. In the future we expect it will be, but today the technology is not yet mature enough to safely exchange the most sensitive information.
This article originally appeared on SearchSecurity.com.