The Obama Administration has said that public readiness is a priority and has taken steps to strengthen the involvement of Americans in their own homeland security. However, officials acknowledge that there is still a ways to go. I present these proposals to help move forward citizen preparedness on a local, state and national level. I hope these suggestions can be a useful addition to the policy discussion and have submitted it to the Federal Preparedness Task Force. As always, I welcome your feedback:

1) CREATE CITIZEN PREPAREDNESS TASK FORCE — The lack of progress to date on public readiness and engagement underscores the need to develop new ways of approaching the issue. DHS Secretary Napolitano should create a Citizen Preparedness Outreach Task Force to assess the current state of public readiness and work on developing new approaches. At present, there is no clear social education analog to civilian emergency preparedness that can be easily pulled off the shelf so it will take some work to develop an effective program. In fact, the Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism in its final report recommended the Administration make citizen engagement a priority. But Chairman Bob Graham told me that the ‘WMD Commission’ did not did not find anything suitable it could recommend, and that something new has to be developed.

2) BETTER DEFINE WHAT IT MEANS TO BE “PREPARED” “READY” AND/OR “RESILIENT” — An American Red Cross survey indicated that 93% of Americans are not prepared for disasters. The truth is that no one can be fully prepared, but there is a need to offer the public a clearer definition — including a minimum level — of preparedness. That might include creating a family communications plan and storing tangible supplies but also knowing more about potential threats that every American should know. That doesn’t mean overwhelming people with too much information, but making sure they are at least familiar with some basics. (For example, the first time citizens hear about a ‘dirty bomb’ from government officials should not be in the moments after one has been exploded.) In addition to the content questions, there is also a word meaning issue to deal with as well. The Obama Administration has been emphasizing the concept of societal resilience. Should emergency management officials be talking about citizen resilience in their communities rather than preparedness or readiness?

3) SUPPORT & REPORT ON STATE/LOCAL PREPAREDNESS EFFORTS — Provide adequate seed money for state and local government to bolster civilian preparedness programs and link the grants to performance. Encourage authorities to report publicly on their level of citizen preparedness and create metrics for better measuring civilian readiness. Find interested governors to take on leadership roles and create pilot models in their states. There is a need to employ both “bottom/up” and “top/down” approaches to disaster preparedness combining state, local and community leadership and citizen involvement with federal commitment and focus. Ensure that government authorities can competently respond to disasters but also more strongly emphasize the need for the public and local communities to be prepared and self-reliant, particularly in the first 72 hours after a disaster.

4) HIGHLIGHT & SPREAD MODELS FROM AROUND U.S. & OTHER COUNTRIES — There is a need to help promote and implement best practices from communities around the U.S. and draw, where applicable, particularly from British and Israeli experiences. One model may be the United Kingdom’s National Risk Register, which sets out publicly the government’s assessment of the likelihood and potential impact of a range of different public health, natural and terrorist risks. It is designed to increase awareness of the kinds of risks the UK faces, and encourage individuals and organizations to think about their own preparedness. The Register also includes details of what the Government and first responders are doing to prepare for those emergencies and the role of citizens in those plans

5) USE ‘CARROTS’ TO CHANGE PUBLIC BEHAVIOR – Provide a tax write-off for citizens to buy preparedness-related products as a way to promote participation and to signal governmental commitment. Encourage states to create tax-free periods as is being done in Virginia and Louisiana (and has been introduced in the New York legislature). Also, consider targeting assistance to citizens who cannot afford to prepare. The fact is that when we really want to change social behavior as a nation we do it through the carrot or the stick. The carrot is the preferable tool for this issue, but it needs to be used. And, thus far, incentives (and vegetables) have largely been missing from the preparedness effort, which helps explain the lack of progress. Similarly, preparedness disincentives in the law should be removed (ie. in some places, homeowners who retrofit their homes face higher tax assessments.)

6) BRING IN BUSINESS TO DEVELOP INTEGRATED ‘WIN-WIN-WIN-WIN’ PUBLIC PREPAREDNESS MARKETING CAMPAIGNS– Design and roll out a full service preparedness marketing campaign with help from the private and non-profit sectors. Galvanize business to take on disaster preparedness in the same way they have with disaster response, most notably in the aftermath of Hurricane Katrina (ie. big box stores, packaged goods manufacturers, bottled water companies, wireless industry). Work with companies in preparedness-related businesses to offer major discounts tied to citizens taking actual readiness steps recommended by Ready.Gov and local emergency management offices.

For example, individuals and families come into ‘big box’ stores with emergency communications plans (or fill them out in the store) and in return they would receive a significant discount on supplies or free products (ie. if you purchase a case of bottled water, you would get your emergency supply thrown in for free). And if a customer signed up to volunteer for CERT or the Red Cross Disaster Services, they would get a bigger discount. Mobile phone retail stores would be excellent settings for preparedness events/trainings to help people register for government emergency text/e-mail alerts. I’d also like to see an event/photo-op with kids teaching their parents about texting and its role in an emergency. Here again, the companies would offer customers extra free text/phone minutes for completing the preparedness step.

7) DON’T BE AFRAID TO TELL THE CHILDREN — Put more emphasis on educating young people on preparedness by piggybacking on other related school-based social education efforts, most prominently fire safety. The challenge is the both the decentralization of the nation’s education system and the already high curricula demands on teachers. Yet, an effective fire education program was implemented in the schools beginning in the 1970’s, and there would seem to be a perfect fit to integrate a preparedness module into that existing program. The federal government should work with state and local officials as well as fire and education officials to determine how best to accomplish that objective.

FEMA Administrator Craig Fugate recently suggested expanding the Community Emergency Response Team (CERT) program for young people. I believe that a decision to expand CERT-type training in the schools would be welcomed on a bipartisan basis.There should be more public briefings on how personal tech would be helpful in an emergency, before the emergency (including how Twitter, Facebook and one’s smart phone can be invaluable). Further, every governmental preparedness web site should add a cell phone and an extra battery (or other power source) to the basic components of their recommended disaster supply kit.  Many private companies are working on applications for citizen emergency communications. Those business efforts need to be integrated with official alerts (ie. the new iteration of the Emergency Alert System) and unofficial citizen-based social media (as well as the news media). Both the content and distribution channels of emergency communications are changing and new models need to be developed.

8 EMBRACE AND ACCELERATE PREPAREDNESS 2.0 – There is a need to better inform the public on the potential of 21st century personal technology to prepare for and respond to 21st century emergencies. We must make Americans more aware of the capabilities of the technology at their fingertips (ie. wireless devices, social media sites) in advance and integrate it into disaster planning and response. The public’s new ability to access and distribute information offers both an opportunity and a challenge to government authorities.

There should be more public briefings on how personal tech would be helpful in a crisis, before the crisis (including how Twitter, Facebook and one’s smart phone can be invaluable). Further, every governmental preparedness web site should add a cell phone and an extra battery (or other power source) to the basic components of their recommended disaster supply kit. Many private companies are working on content and distribution applications for citizen emergency communications. Those business efforts can complement official efforts (ie. the new iteration of the Emergency Alert System) and unofficial citizen-based social media (and well as the news media). One hugely promising initiative is CrisisCommons which over the past year has created groups of volunteers throughout the world to bring technology to bear on disaster response issues.

9) FIND POLITICAL, CELEBRITY PREPAREDNESS SPOKESPEOPLE – During the time that I have covered the topic of citizen emergency preparedness, one of the most surprising things I’ve found is that there is no major elected official who has taken the lead on the issue. It’s surprising for a number of reasons: natural disasters and terrorism dominate the headlines and will continue to for the foreseeable future; citizen preparedness is pretty much an unassailable, bipartisan, patriotic and community-building topic; and even the smallest interest in Washington has at least one political champion (but not public preparedness). And, with much to do, there is a great opportunity to have a positive policy and political impact. To some in the readiness community, the absence of star power on the issue has been one reason for the lack of public attention. Though celebrities have been eager to participate in fundraising efforts after catastrophes like the Haiti effort), there is no big star who is singularly identified as a spokesperson for emergency preparedness.

10) GIVE THE PUBLIC MORE INFO SO THEY CAN BETTER PREPARE & PARTICIPATE – There is a need to better inform the public when it comes to disaster preparedness so they can not only ready themselves and their families but also be part of the policy debate. Let me mention two areas briefly:

a) Weapons of Mass Destruction (WMD): In its report, the WMD Commission argues that the incoming Administration should make an effort to inform and engage the public on the subject of WMD’s. I agree. And, I suggest officials consider starting that process by defining (or redefining) what a WMD actually is. At present, it is most common to define a WMD for the public as a chemical, biological, radiological, and nuclear (or “CBRN”) weapon.

The Commission report, however, focuses primarily on the dangers of biological and nuclear terrorism, both of which could be absolutely catastrophic. By contrast, a chemical or radiological (better known as a ‘dirty bomb’) weapon could be very serious but would likely not cause as much lasting damage. In fact, both a chemical and radiological attack would likely be a one-shot event seriously impacting those directly near the event, closer in result to a ‘traditional’ terrorist bombing. A nuclear bomb or biological incident, however, could have wide and long-lasting ‘mass destruction’ impact to humans, property and the society itself. We don’t want the public — and the nation as a whole — to overreact to some threats and underreact to others.

b) Risk: I think it may be one of the most important homeland security subjects for both the government and the public, because it highlights some of the tradeoffs involved in determining how to allocate the nation’s security resources and the role of risk management in making those decisions. This is a debate which should include the public. Right now, Americans aren’t engaged in the discussion over the security, financial, logistical and time tradeoffs involved in our own homeland security.

We need to introduce risk management into homeland security which would lead us to ask and answer important questions: What improves our security and resiliency? And what can be done at a reasonable social and financial cost? Those answers should come not only from policymakers but with the guidance of the public itself.

The public should be asked: How much risk do you want to pay for? How much inconvenience do you want to deal with? These are dilemmas we deal with everyday in our lives; we need to bring that same approach to homeland security and disaster preparedness. FEMA’s Fugate has since his days in Florida made the point that natural hazards turn into natural disasters because of man-made decisions on development, including ubiquitous golf courses: “You can tee off in Tallahassee and play through to Pensacola,” he likes to say.  ”Unless the public understands we need to change where we develop and live, it won’t matter.” It is up to elected officials to present those choices, including building codes, levies and insurance incentives.

11) ‘SEE AND SAY’ SOMETHING MORE – Build upon the initial success of ‘See Something, Say Something’ -type citizen information campaigns by providing the public with more specific guidance on how to assist law enforcement and, without giving away sources and methods, offering more feedback on the information they have provided. Law enforcement officials are concerned about societal complacency nine years since 9/11, but have not determined how to communicate to the public a more candid – yet calm and balanced – picture of the threat and how they can best help. The Department of Homeland Security is expanding “See Something, Say Something” nationally, which is a positive development. However, there is still a need to better explain to citizens their role, particularly at a local level. One important question is how much of what new information and training given to law enforcement about terrorism prevention should also be provided to the public.

12) MEDIA SHOULD COVER PREPAREDNESS AS WELL AS DISASTERS – While the press does wall-to-wall coverage on natural disasters and has covered practically every aspect of terrorism story closely, it has largely overlooked advance public preparedness. By contrast, during the Cold War, magazines ranging from Life to Modern Farmer dedicated entire issues to civilian readiness. Obviously, the press’ role is not to serve as a publicity arm of the government, but it is a topic that deserves more attention. And without more media coverage, it will be difficult to break through to the public. One great example of the press as a unique asset is the list of preparedness tips and lessons learned from the disaster survivors that was collected by the New Orleans Times-Picayune.

13) GOVERNMENT PREPAREDNESS OUTREACH NEEDS TO BE FAR MORE INTERACTIVE — Right now, if a member of the public has a question about the preparedness process, there is nowhere to go. And, as someone who does a lot of public outreach on street fairs, radio or in community meetings I hear a lot of questions from average citizens about emergency readiness — ie. Shouldn’t buildings have mandatory emergency drills? Shouldn’t everyone have a solar charger in your ‘go-bag’ to be able recharge a cellphone or radio? Shouldn’t you have an evacuation family meeting spot outside of the City in case there is major disaster? In case of an emergency, where should we go for information? The emergency management community on a national, state and local level must overhaul its public information operations to be able to address those questions directly and lead the public through what can be a challenging process to undertake.

14) ‘DO ASK, DO TELL’: MAKE “PERSONAL RESPONSIBILITY” MORE CENTRAL TO PREPAREDNESS MESSAGING — Instead of telling people to prepare because it is a responsibility (you need to do this), government has used a softer ask when it comes to trying to get the public to prepare. To me, the it is time to try to do more “telling” and less “asking”. I don’t believe the government should be afraid to explicitly tell the public that each of us can either hinder or help relief efforts by what they decide to do before and during a disaster. And, that it’s up to each of us to choose.

If indeed preparing for disasters is a responsibility of citizenship (which I think it should be), then it should been positioned that way. PSA’s saying that people are imperiling the lives of first responders and their fellow citizens, particularly the vulnerable (ie. the elderly, disabled) not to mention your own family might be treated with a little more urgency. Another potentially useful messaging approach was suggested to me by former Miss Utah Jill Shepherd who used citizen preparedness as her pageant platform. It can (and should) be included in the preparedness pitch that readying yourself and your family for disaster at home is a way civilians can contribute to the nation’s resilience and complement the work and sacrifice of those serving in the military. Preparedness may be the most important contribution most citizens can make to their nation’s security. Not only will civilians likely be the first on the scene of a major emergency, but the nation’s response will only be as strong as the readiness of the weakest link. We have entered the ‘pro-am’ preparedness era where the government needs to hand off some responsibility and the public needs to take it.

15) INTEGRATE EMERGENCY PREPAREDNESS INTO OTHER COMMUNITY ISSUES — Emergency preparedness is an important issue, particularly during crises. However, it has a better chance of becoming ingrained into American society if it is viewed as part of other preparedness topics that are a more central part of Americans daily life, including public health (immunization), security (Neighborhood Watch), infrastructure and climate change, part and parcel of just being ready for any situation.

For example, the global warming campaign can and should be a model for civilian emergency preparedness in a variety of ways. The two efforts are complementary and should be linked closer together in the public’s mind — and actions. In both, society is being asked to mobilize in order to avert or mitigate potential disasters, and both are part of strengthening the nation’s general national resilience. Yes, global warming has some skeptics, but so does emergency preparedness — ironically they are often not the same people which may conveniently add to its complementary synergy.

16) EXPAND EMERGENCY DRILLING OPPORTUNITIES TO PUBLIC –Increase chances for citizens to participate in disaster drills, which would help people focus on the issue and work through the key questions everyone should ask before a disaster (ie. How will you get information and communicate with your family? Do you know the emergency plan of your children’s school?). Most every top homeland security/emergency management official I have interviewed has told me that broader public disaster exercises would be helpful in a number of ways, but there has not been a concerted effort to expand drilling opportunities to the public.

17) DETERMINE BEST USE OF CIVILIAN DISASTER VOLUNTEERS – Craig Fugate said recently that FEMA would be reevaluating the Community Emergency Response Team (CERT). I think that as part of that review government and non profit officials should be looking at how best to recruit and deploy disaster volunteers. Post-9/11 and Katrina — as well as with international incidents such as Haiti — there has been great interest among the public to be involved in crisis response. A key question is how that asset should be managed. Should it be the government? The Red Cross? Other non-profits and faith-based institutions? Business? Or a combination of the four? One hugely promising initiative is CrisisCommons which over the past year has created groups of volunteers throughout the world to bring technology to bear on disaster response issues.

Fugate said that FEMA is considering major changes in the CERT program, including creating a shorter training course which could be offered to more Americans and significantly expanding training for schools and other youth groups in order to better imbed preparedness into society for the long-term. I’ve always felt that CERT training is less about the skills you learn and more about awareness about the community and the various emergency authorities (and identifying citizen crisis organizers in advance). To me, CERT is just basic citizenship training for the 21st Century, which I think every American should get a chance to receive. I might suggest that the smaller reduced curriculum be called something along the lines of “Citizen Resilience Training”.

18) ESTABLISH AN OFFICIAL PREPAREDNESS DAY — Create a National Preparedness Day to focus public attention before disasters, including briefing citizens, conducting drills, and filling emergency kits. A helpful model is Japan’s Disaster Prevention Day held on September 1st, the anniversary of the catastrophic 1923 Tokyo earthquake. Earlier this month, 670,000 Japanese participated in emergency drills around the country. China, since its 8.0-magnitude 2008 Sichuan Province earthquake, has also held two national disaster prevention days with nationwide drills.

If we as a nation feel it is really important for the public to develop emergency plans, it would be far more effective if everyone was doing that at the same time — rather than asking individuals to do it on their own. This ‘preparedness day’ would also be the time that we all asked the questions about planning then practiced and updated those plans. It would be useful for both responders and the public. I might suggest September 11th be made the U.S.’s official Day. It would seem to be appropriate to honor the memories of those who died by action, particularly something aimed at making sure America is never as unprepared again.

19) CREATE CITIZEN PREPAREDNESS OFFICE – Establishing a national citizen preparedness/resilience office to highlight and help coordinate efforts around the U.S. and ensure citizen preparedness remains a priority. Right now, there is not an identifiable place in the federal government that has responsibility for coordinating the public’s role in preparedness. Work with American Red Cross to create an effective advocate for the general public on emergency preparedness in the same way disabled and pet groups have done for the disaster needs of their communities over the past several years.

20) BUNDLE CITIZEN PREPAREDNESS PROPOSALS TOGETHER INTO “CITIZEN PREPAREDNESS INITIATIVE” – For too long, well meaning public preparedness efforts have gotten lost or have been ignored by the public. That’s in large part because they have not been packaged and presented as being specifically directed to citizens. But if the government would assemble these small disparate proposals listed above into an overall citizen preparedness package it would have a better chance of getting attention and gaining some traction. Ultimately, making inroads on citizen preparedness is less a matter of money than it is of focus and attention.

Melissa Short’s “Cybersecurity Starts Here” campaign was one of the winners of the National Cyber Awareness Challenge “which called on members of the public and private sector companies to develop creative and innovative ways to enhance awareness of the importance of cybersecurity and safeguard America’s computer systems and networks from attacks.”

Melissa Short, DHS Cyber Challenge Winner

The Challenge, which Secretary Napolitano announced in March, received more than 80 proposals, from which seven were selected which will help inform the National Cybersecurity Awareness Campaign. It is designed to engage the American public, the private sector and state and local governments in efforts to guard against cyber threats and communicate strategies for the public to help keep themselves, their families and communities safer online. The Campaign will kick off in October 2010, in conjunction with National Cybersecurity Awareness Month.

It is also another deliverable on Secretary Napolitano’s pledge to begin “engaging and empowering our citizens to be part of collective effort” towards “creating a culture of awareness And preparation”. Cybersecurity has become more central to the nation’s homeland security and in fact was mentioned for first time in President Obama’s National Preparedness Month proclamation this year.

Short told me in an interview that in her campaign entry she wanted to make cybersecurity more accessible and doable for the average citizen: ”How do we make cyber security relevant to their lives? But give them steps they can actually do.”

“There’s no silver bullet. It won’t happen overnight,” she says, adding, ”I hope we can get a dialogue when we’re talking about security. Get a discussion going among the public.” Short works at the U.S. Veterans Administration in Roanoke, Virginia in information technology, but  says she is “non-technical” so she feels she can understand both the expert and non-expert worlds.

DHS spokesperson Meredith Isola explained why DHS reached out to the public:

“Everyone has a stake in cybersecurity –- and we believe that all Americans can be part of the solution to keeping our cyberspace safe. And so we knew that by tapping into some of the wisdom and creativity of the public and cyber experts, we could come up with some great ideas for getting the word out more broadly.”

“Every day Americans are incorporating new and innovative technologies into their lives. We’ve come to rely on computers, smartphones and many other online resources at home, at work and at school. That heightens the need for every single one of us – young or old, computer savvy or not – to learn about the potential threats and how to stay safe online.”

According to Short’s campaign proposal:

“Cybersecurity Starts Here” is my vision for a campaign to increase the cybersecurity awareness of the American public. The objective of this campaign is to build a general security consciousness among the American public through communication via a portal web site, advertising and public relations, Web 2.0 presence, and face-to-face interactions. The term “cybersecurity” conjures up images of complex networks and rooms aglow with monitors and buzzing with computing power. Cybersecurity sounds like a term for government and big business. However, the reality is that cybersecurity impacts all of our lives and we all have the ability and the need to take steps to protect our computers, ourselves, and even our Nation.

The general, non-technical public, is the primary target of this communication. The campaign also recognizes two key sub-groups of the American public: small businesses and students. In addition, this campaign makes considerations for educating the general news media on cybersecurity issues in order for these outlets to improve their coverage of the topic. This campaign will reach the American public with practical and ready-to-implement suggestions for integrating cybersecurity into the everyday computing experience.

A key to the long range success of the Cybersecurity Starts Here message is encouraging a nationwide dialogue on cybersecurity and engaging the public in face-to-face conversations on cybersecurity will help achieve this goal. The centerpiece is creating a “Cybersecurity Ambassadors Program” comprised  of people who work in IT (ex. IT specialists, ISOs, CIOs, system administrations, IT security specialists, help desk specialists), people who have an interest in IT security (ex. police personnel), or people who have a special relationship with a target public (ex. educators, school administrators, teen mentors, college residence life staff, small business support organizations) who want to build the cybersecurity awareness in their workplace, community, church, civic group, etc.

The campaign will be integrated into DHS’s cybersecurity public awareness efforts. Says Short: “It will be very cool to see my ideas implemented.” The other Challenge winners were:

Best Iconic and Overall Structure – Deloitte “Think Before You Click”

The Best Iconic and Overall Structure submission was Deloitte for their Cybersecurity call-to-action and “Think Before You Click” campaign. In addition to proposing creative messaging and tag lines, innovative marketing strategies and calls to action, Deloitte proposed a symbolic icon to help drive awareness and recognition of the campaign for adults and young adults, as well as a character to drive cyber awareness with kids.

Best Local/community Plan – eCity San Diego and MyMaine Privacy

For the Best Local/Community Plan, Securing Our eCity San Diego and MyMainePrivacy were both selected as winners. Both proposals offered innovated strategies for grassroots collaborative approaches with state and local government, public and private sector, and the academic community through their online classroom style trainings.

Most Creative – Beekeeper Group and LegalNetWORKs “Trot Against Bots”

For Most Creative, the submission from Beekeeper Group and LegalNetWORKS for their “Trot Against Bots” awareness 5K was selected. The strategy acknowledges that planned road races by their very nature close down city streets for a period of a few hours, and proposes working with local officials to organize a 5K in a city that would illustrate how a single runner (symbolizing a botnet) may not shut down traffic, but a group can (vehicle traffic would symbolize Internet traffic).

Best Educational plan – Penn State “CyberLink Games”

Penn State’s proposal was selected as the Best Educational Plan, for their CyberLink Games, which are aimed at improving Internet security. There are two games—CyberLink Duo helps players understand how society views cybersecurity risk and CyberLink Solo helps to educate players on the latest information from experts on cybersecurity threats.

Best Publicity and Marketing – CISCO “Cybersecurity is Everyone’s Responsibility”

Cisco Systems’ proposal was selected as the Best Publicity and Marketing plan for their “Cybersecurity is Everyone’s Responsibility” campaign. An overarching theme of the National Cybersecurity Awareness Campaign is creating a balance between Internet safety as a personal responsibility and a shared responsibility. The awareness campaign Cisco proposed aligns with this goal by creating an educational cybersecurity portal and a cybersecurity “IQ challenge,” and utilizing print, radio, TV and online advertisements to drive awareness of these programs.

The U.S. Cyber Challenge is looking for 10,000 young Americans with the skills to fill the ranks of cybersecurity practitioners, researchers, and warriors.

“The U.S. Cyber Challenge is a nationwide talent search that aims at nurturing those individuals who are interested to make it through the abyss on the other side where there are scholarships, internships and jobs,” says Karen Evans, the one-time de facto federal CIO. “This is a framework to develop their skills, give them access to advanced education and exercises, and enable them to be recognized by colleges and employers where their skills can be of the greatest value to the nation.”

The full article can be found here.

The information networks that nearly every American relies on are under constant attack by sophisticated cyber adversaries. These adversaries target our identities, our money, our businesses, our intellectual property, and our national security secrets. They often succeed. What’s more, they have the potential to disrupt or disable vital information networks, which could cause catastrophic economic loss and social havoc. We are not prepared.

Rockefeller and Snowe are sponsors of the Cyber Security Act of 2010. What’s particularly relevant for this blog is that the legislation has a section focused on what citizens can do to contribute to the nation’s cybersecurity. In fact, the second proposal in the op-ed is to: ”Launch a new public awareness campaign to make basic cybersecurity principles and civil liberty protections as familiar as Smokey the Bear’s advice for preventing forest fires”

Much of cyber security effort is the responsibility of the government and private sector, but there is also public role. That has been underscored by DHS Secretary Napolitano and other experts. Yet, as the senators point out, more work needs to be done to get that message through to the average user.

“Just as with our nation’s preparedness for natural disasters or terrorist attacks, our nation’s cybersecurity is a shared responsibility. And it’s an opportunity for you, as an individual, to personally contribute to our national security. Securing your home computer helps you and your family. And it also helps your nation in some very important ways. It helps by reducing the risk to our financial system from theft; and to our nation from having your computer infected and then used as a tool to attack other computers.

As individuals, the steps you need to take are clear, and they will make a big difference:

* Install and activate firewalls for your computer and internet connection

* Make sure your anti-virus and anti-spyware software is installed and up-to-date

* Check your computer settings to make sure your operating system and applications are automatically patched

* Practice good online habits by not visiting suspect sites, downloading suspicious documents or attachments, or opening email from people you don’t know

* Back up your files regularly and use strong and secure passwords; and

* Begin educating your children early about staying safe online.”

The full transcript and the web video can be found on the DHS website here.

Though much of the high-tech work on this issue is being done by government and the private sector, National Cyber Security Awareness Month aims to underscore that average computer users also have a role according to the Department of Homeland Security (DHS):

“The theme for National Cybersecurity Awareness Month 2009 is ‘Our Shared Responsibility’ to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good ‘cyber hygiene’ and to protect themselves and their families at home, at work and at school.”

At the DHS website, computer users can find: ”a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace…There are many things businesses, schools, and home users can do to practice cybersecurity during National Cybersecurity Awareness Month and beyond.” They include:

* Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.

* Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.

* Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.

In trying to get the public to prepare for cyber threats, government — as well as industry in this case — faces some of the same obstacles as informing and readying the citizenry for other threats. Here too, there is a need to more fully illustrate the potential dangers and show how the average user can really have an impact on the nation’s cyber security effort.

“Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.”

This is a subject I will be continuing to follow, and I’ll be interviewing Goldsmith to discuss it further sometime soon.

The report identified strategic objectives the federal government should pursue for improved cyber security. It examined the challenges facing the economic, physical, and human infrastructures and asserted that cyber security needs to be a national priority.

“Moving toward a more secure information infrastructure will require a concerted and committed effort on multiple fronts with the government playing a major role in creating and managing an effective national research and development effort,” the report concludes. “The new Administration has a major opportunity to direct and coordinate cyber security research and development efforts in ways that could provide protection from threats in the near term.”

Of particular interest to this blog is that the study authors point out one of those “multiple fronts” on the cyber security effort is the user public. The report identified priorities for the next 5-10 years, one of which is to better educate and engage citizens of all ages. Noting that the “human dimension of security must be address,” the report recommends:

“…awareness raising and educational campaigns directed at the public and private sectors as well as the general public must be developed. At the same time, IT ethics and security training must be built into K-16 curricula to ensure that the next generation becomes a positive force in the quest for better security.”

Cyber security is a growing concern of homeland security experts and policymakers I have spoken to, including recently former Homeland Security Secretary Michael Chertoff. A Obama cyber security transition adviser also last week said that the nation is not prepared for a ‘cyber Katrina’. Though much of the necessary high-tech cyber security work is being (and will be) done by government and the private sector, average computer users should realize that they have a role as well.

The Roundtable took place at the Secretary’s ’satellite’ office at the Ronald Reagan Office Building near the White House. It was pegged to October’s National Cyber Security Awareness Month which according to DHS is “designed to educate the public on the shared responsibility of protecting cyberspace.” A full transcript can be found here.

Others attending the Roundtable were HLS Watch’s Jonah Czerwinski, CQ’s Jeff Stein, Consumer Reports’ Jeffrey Fox, Federal Computer Week’s Ben Bain, Heritage Foundation’s Jena Baker McNeill, and Ars Technica’s Julian Sanchez. (I attended a previous Bloggers Roundtable held by Secretary Chertoff on emergency preparedness in May.) 

In his opening remarks, Chertoff called cyber security “perhaps an area of vulnerability we have that remains the greatest challenge in terms of addressing” and added: 

“It’s not a secret that, you know, if you look at what happened in Estonia, looked at what happened in Georgia, if you look at that massive identity theft that occurred in California that I announced we had made some arrests this past August, we’re becoming more and more acutely aware of the vulnerability we have at all levels: denial of service, corruption of information, theft of identity, exfiltration of confidential information. All of these are critical issues.”

Though much of DHS’ cyber security effort is focused on federal systems and critical infrastructure (and that was the subject of most of the discussion during the Roundtable as HLS Watch nicely covers in its post), Chertoff says that the public has a significant role in cyber security both in their workplaces and at home:

“There’s public in your own personal life and there’s the business community. The business community obviously, to the extent they operate critical infrastructure, they have a role to be responsible not only to themselves and their own businesses, but to the wider community that depend upon them. Because we are interdependent. If the power grid goes down because somebody hasn’t adequately protected their systems from an IT denial of service attack, that’s going to have implications for everybody who relies on that power.”

“So there’s an awful lot the private sector has to do. It reminds me of the Y2K period when the private sector was required to step up and make sure it was protecting its assets. So part of what we’ve been in the process of doing is we’ve set up a committee with the private sector built upon the model that we’ve been using successfully over the past several years to create a national infrastructure protection plan. And the idea is to have a — it’s a critical infrastructure coordinating committee that looks in particular at computers and spans all of the sectors, recognizing that each sector is going to have unique challenges and is going to want to look at different kinds of issues.”

“From a homeowner standpoint or personal standpoint, you know, obviously you don’t want your computer turned into a — you know, taken over by bots and then converted into an attack vector. But on a more prosaic level, you don’t want your personal stuff, your financial records exfiltrated. You don’t want to have your computer become sluggish and unable to operate.”

“And, you know, this is really an area — it is like the disaster area where personal responsibility is important. If you don’t change your password periodically, if you don’t update your firewalls and your anti-virus, you’re just — you know what it’s like? It’s like taking your wallet and throwing out on the street. And no one would suggest doing that. No one suggests just leaving your door wide open without a lock.”

“For many people, that’s how they view the computer, and, you know, whether it’s — to make a larger point, whether it’s preparing yourself for physical disaster with water and food as we’ve talked about, John, or whether it’s taking reasonable security over your computer, people have got to do this. Because otherwise, they’re going to get victimized and then they’re going turn and say, well, who’s going to help me? And the answer is, it’s going to be a lot harder to help them after the fact than if they take reasonable precautions.” 

Chertoff said that he thinks ultimately the key to cyber security at the consumer user level may be changing the security paradigm:

“…I would actually make the case — and this is not with the Cyber Security Initiative, but it’s another initiative we’ve talked about — that part of what we need to do is we need to change from a model in which your assets are controlled by your, for example, your Social Security number, which is a very weak way to control your assets, to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn’t kept in a database.

“If you — bear with me for a second. If you had a system where in order to access my bank account you had to use my biometric and a token as well as a number, it wouldn’t matter if you stole the number, because the number wouldn’t do anything for you. It would be like having my name. It doesn’t do anything for you. So I actually think we need to step out — I mean, in the short run, you want to protect the information by encrypting it and securing it.”

“But in the long run, I think you want to move away from a model which I consider inherently vulnerable, where the very information that you’re trying to protect is the information you have to disseminate in order to validate yourself. So as you — the more effective use you make of the information, the more vulnerable you become. I’m suggesting we paradigm shift.”

“On the issue of theft of data over the Internet, whether it’s wireless interceptions like we had out in California, there again, a lot of the key is encryption. It is a different architecture for how we validate and verify people so that we don’t have — so that getting a single piece of information about you doesn’t really do any good, because it’s not enough to get you into an ability to corrupt somebody. And of course, part of it is just doing what we can to secure the networks against hacking or intrusions.”

“But, mind you, you know, it’s not just about hacking. It can be about interception of wireless transmissions. It can be about theft of data by insiders. You know, someone told me that people stick a lot of data on a thumb drive. You’d be amazed how many thumb drives are found on the floor of airplanes, commercial airplanes, because people drop them out..” 

“…What I’m saying is, there’s a whole spectrum of threats. And what I want to encourage is not just to think about the obvious thing or the thing that gets written about, but to look at what I call game changers, ways to actually organize protection of our identity so that we are not so vulnerable to the theft of a single piece of information or a Social Security number, because that is insufficient to allow someone to actually seal someone’s assets. And I think this is a huge issue. You can tell I’m interested in it because I’m talking about it a lot.”

I intend to ask him about the citizens role in cyber security and specific things that average users like myself can and should do. But if you have another question you think I should ask, please send it to me at jsolomon@incaseofemergencyblog.com.