On Tuesday, Michael Chertoff, Secretary of the five-year-old Department of Homeland Security, stood in front of attendees during an unscheduled keynote and reiterated many of the themes pushed by the Bush Administration -- and the Clinton Administration before it -- regarding cybersecurity. Among the top initiatives, Chertoff expounded on the need for public-private partnerships, and for each company and organization to protect their part of the network.

"Because of the interdependence of our society and our economy, a cyberattack would have consequences across the market," Secretary Chertoff told attendees. He added: "A single individual, a small group of people, and certainly, a nation-state can cause damage on a scale that had previously been seen only if you dropped bombs."

The Department of Homeland Security gave security professionals the full-court press at the conference. In addition to trotting out Secretary Chertoff, the U.S. agency also had Gregory Garcia, the assistant secretary for cyber security and communications, speak during two sessions, including a "Town Hall" meeting on Wednesday that discussed some aspects of last month's cyber response exercise.

Other business and government officials -- including Rep. James Langevin (D-RI), the chairman of the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, who has been critical of some of the Bush Administration efforts -- credited the government with making some progress in the past year.

"Up 'til now, in many respects, it has been an area that has largely been ignored by the government," Langevin said during a Tuesday panel on the nation's cyber readiness. "I believe we will never be 100 percent secure just because of the nature of the Internet, but I believe we have to" work together to improve security.

The focus on cybersecurity is a departure from the short shrift that the government gave to the issue at the beginning of the decade. While the Bush Administration released its National Strategy to Secure Cyberspace in 2003, the final document significantly softened the government's stance on securing critical infrastructure, which is primarily maintained by private companies. The Administration also collected most of the cybersecurity capabilities into the Department of Homeland Security and then failed to fund the efforts.

On Tuesday, Secretary Chertoff stressed that DHS intended to fund the U.S. Computer Emergency Readiness Team (US-CERT), the nation's cyber response organization, at $115 million in 2008, with a requested budget of $192 million in 2009.

In the last two years, the Bush Administration has focused more intently on securing government networks. Among the initiatives, US-CERT has deployed a network-traffic analysis system, known as EINSTEIN, to monitor 15 agencies for possible computer intrusions. The National Institute of Standards and Technology has created the National Vulnerability Database and worked with other agencies to create important standards for configuration management and vulnerability detection. The Office of Management and Budget, along with NIST, is spearheading an effort to get all desktop computer systems within federal agencies to use the Federal Desktop Core Configuration -- a standard, secure configuration for Windows XP and Windows Vista.

The Bush Administration also announced its so-called "Cyber Security Initiative" -- a plan to minimize the number of trusted Internet connections, or TICs, serving federal agencies from more than 4,000 to approximately 50, and improve EINSTEIN's monitoring on those connections to prevent attacks in real time. The Bush Administration has reportedly budgeted $30 billion over the next five to seven years for the program.

As part of its efforts, the Administration held its second national cyber response exercise last month. The exercise, known as Cyber Storm II, involved 18 months of planning, 18 federal agencies, 9 states, and 40 companies, the DHS's Garcia said during a Wednesday session on the project. Five countries took part in the exercise, including the U.S., the United Kingdom, Canada, Australia and New Zealand.

The international cyber exercise was "fundamentally about responding to a fast breaking epidemic," the DHS's Garcia said. He added: "The interesting part of the Cyber Storm exercise was the planing part. In the 18 months leading up to the exercise, relationships were being built up that actually could help in a real life situation."

While the Department of Homeland Security refused to reveal details of the actual scenario used in the exercise, ten companies from the chemical industry took part in Cyber Storm II making it a good bet that the plot involved some sort of hazardous chemical component.

"One of the objectives in our company was to trigger the incident response processes and see if we could invoke the crisis management teams," Christine Adams, a senior information systems manager for the Dow Chemical Co., which took part in the exercise, said during Wednesday's discussion.

Instead, Adams found that the companies first went to their information-technology vendors before talking with each other and understanding that separate incidents were part of a broader threat.

"Individual companies will work through their technology providers in times of crisis first," Adams said. "And we will look to IT providers before we will even look outside of our own companies."

Among recent incidents that have concerned U.S. government officials include the attack against the technology-dependent country of Estonia. The attacks, which began on April 28, followed violent clashes between the Estonian police and ethnic Russians in the country over the removal of a Red Army monument that symbolizes the defeat of Nazi Germany by the Soviet Union during World War II, but is also a reminder to Estonians of the more than four decades that the Soviets occupied the nation. Following the incident, the North Atlantic Treaty Organization (NATO) -- of which Estonia is a member -- began evaluating whether such attacks should trigger the treaty's clause for common defense, Article 5.

The Bush Administration appears to be setting the foundations for a doctrine of allowing defenders to pursue adversaries across cyberspace in response to attacks. Last week, Lieutenant General Robert J Elder, Jr. stated that the rules of engagement will have to be rethought for the Internet, espousing a more offensive mentality.

On Tuesday, Secretary Chertoff highlighted the impossible task of U.S. defenders when trying to pursue virtual attackers in the physical world, leaving open the possibility that some other strategy will be needed.

"As we tackle this challenge, we have to recognize that we are in a domain when traditional military response is not adequate," Chertoff said in his keynote speech. "We need a network-type of response to deal with a network attack."

If you have tips or insights on this topic, please contact SecurityFocus.