[ISN] Mr. Schmidt goes to Washington

From: InfoSec News (isnat_private)
Date: Wed Dec 19 2001 - 00:12:25 PST

  • Next message: InfoSec News: "Re: [ISN] IDS users swamped with false alerts"

    December 17, 2001 
    WASHINGTON -- The pending appointment by President Bush of Microsoft
    Corp.'s chief security officer Howard Schmidt to the No. 2 position at
    the U.S. government's Critical Infrastructure Protection Board raises
    an important question about the homeland security effort: Should
    private-sector experts be heading for the White House or frontline
    security agencies?
    News of Schmidt's expected appointment, first reported by
    Computerworld last week, comes as the federal government's
    cybersecurity and critical infrastructure protection (CIP) community
    struggles to define itself amid a growing bureaucracy focused on
    homeland security.
    While many experts praised the addition of Schmidt to the government's
    CIP team, others said tangible steps need to be taken to improve the
    government's focus and the private sector's cooperation with frontline
    cybersecurity agencies such as the FBI's National Infrastructure
    Protection Center. The NIPC, based at FBI headquarters in Washington,
    was formed in 1998 to handle threat assessment, investigations and
    responses to any attacks on critical U.S. infrastructures.
    Despite lessons learned from the Sept. 11 terrorist attacks on the
    U.S., which demonstrated the nation's vulnerability to physical
    disruptions and the interdependency of its critical infrastructures,
    the government and private-sector stakeholders in the CIP effort
    remain uncertain about the definition of critical infrastructure
    protection and, in some cases, uninvolved -- a problem that a
    political appointment like Schmidt's can't fix, experts said.
    "A large majority of the focus up until Sept. 11 has been on the
    information security side of the equation, and there has been a
    limited focus on infrastructures, particularly physical disruptions
    and the interdependencies that proved so important during the Sept. 11
    attacks," said Paula Scalingi, former director of the U.S. Department
    of Energy's Office of Critical Infrastructure Protection and now
    president of The Scalingi Group, a Tysons Corner, Va.-based
    infrastructure security consulting firm.
    The security industry still hasn't come to grips with defining the
    scope of critical infrastructure protection, she said.
    The more pressing need, said government and private sector officials,
    is for industry experts like Schmidt to provide sector expertise to
    the NIPC so that interdependencies between the telecommunications
    grid, power grid, energy pipelines, emergency service networks and
    other critical services can be better understood.
    In fact, NIPC director Ronald Dick acknowledged last August a critical
    need for private-sector expertise (see story). "I need people who know
    gas and water, people who know electric power and the transportation
    system," he said.
    Dick has praised the relationship between his agency and the North
    American Electric Reliability Council in Princeton, N.J., citing it as
    one of the first arrangements where classified cybersecurity
    information is being shared with industry.
    However, the electric power industry is a prime example where
    cooperation and focus remains a moving target. Joe Weiss, technical
    manager of the enterprise infrastructure security program at the
    Electric Power Research Institute in Palo, Alto, Calif., said the fact
    that some of the leading suppliers of IT systems that control electric
    power throughout the country aren't members of the Partnership for
    Critical Infrastructure Security (PCIS) is a major threat to critical
    infrastructure. The PCIS is a key government/private-sector security
    organization now working to enhance IT security,
    "The Web sites will be safe, but the lights will be out, and water and
    oil won't flow," said Weiss, stressing the fact that existing IT
    technology won't work in industrial control systems and, in some
    cases, can actually shut them down. "There have been vulnerability
    assessments done and these important control systems have been shown
    to be vulnerable," he said. "This is not in any way, shape or form
    GTE Corp., one of the suppliers mentioned by Weiss, couldn't be
    reached for comment. However, Bud Greebey, a spokesman for Siemens AG,
    another major supplier of critical industrial systems, said the
    company is "not aware of any overtures to us from the PCIS." Even so,
    the premise behind the PCIS is something Siemens fully supports, he
    Ron Ross, director of the National Information Assurance Partnership,
    a Washington-based government-industry consortium led by the National
    Institute of Standards and Technology and the National Security
    Agency, agreed that there is an education and awareness gap regarding
    potential vulnerabilities in some important systems and networks that
    comprise the critical infrastructure.
    "We now have to begin to delve into a variety of areas that need
    significant attention with regard to computer security," said Ross.
    Alan Paller, director of the SANS Institute in Bethesda, Md., said
    every technical, hands-on expert that the NIPC can add to its ranks
    from the private sector would immediately help the cause of homeland
    security. And while Schmidt offers policy expertise to the government,
    his addition to the President's Critical Infrastructure Protection
    Board "directly supports" the NIPC, said Paller.
    A former senior government official, speaking on condition of
    anonymity, said appointments that are heavy on prestige but light on
    hands-on analysis capabilities aren't what's needed right now. "They
    [the NIPC] need sector expertise and particularly analytic
    capabilities to address infrastructure interdependencies," the
    official said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 12:48:58 PST