Officials: How much security is enough?

In the White House situation room and in corporate boardrooms, people debate how much information security is enough — without reaching consensus. But a panel of national security experts said today that federal standards can help minimize the risk of a disruptive cyber event.

Standards that the National Institute of Standards and Technology is developing provide the basics of due diligence for federal agencies and businesses, said Ronald Ross, a senior computer scientist and information security researcher at NIST. He spoke today at an event in Washington, D.C., sponsored by the Wall Street Journal.

Businesses are not required by law to follow those information security standards, but Ross said many are doing so voluntarily because they can reduce the risk of a major cyber incident disrupting companies' business.

The federal standards include one for categorizing information systems assets based on whether their loss would pose a high, medium or low risk to the agency or business. Ross said people are spending too much time and money to protect low-risk systems and not enough on high-risk systems.

He said NIST will soon issue another federal standard requiring specific security settings and controls for protecting low-, medium- and high-risk systems.

Roger Cressey, president of Good Harbor Consulting and a former counter-terrorism official, said the Homeland Security Department was slow to focus on cybersecurity vulnerabilities. To an extent, he added, the department is still reactive and “preparing to prevent the last attack.”

But Cressey said DHS Secretary Michael Chertoff has correctly adopted a risk management approach to the country’s cyber vulnerabilities. Whether Chertoff can gain support in Congress and elsewhere for that approach remains to be seen, Cressey said.