[ISN] A spending tug of war

From: InfoSec News (isnat_private)
Date: Tue Oct 08 2002 - 00:03:53 PDT

  • Next message: InfoSec News: "[ISN] Senate Delay Muddles Security Reporting"

    By Megan Lisagor 
    Oct. 7, 2002
    Working from its fiscal 2002 spending account, DOE's NNSA had $555
    million for safeguards and security. Of that, $58 million was
    earmarked for information security, according to the official, who
    asked to remain anonymous. But some of that money was reallocated to
    guards, their overtime pay and other physical defenses after the
    attacks, the source said.
    The timing couldn't be worse.
    "We're barely holding our own in being able to keep up our defenses,"  
    the official said. "We can handle the basic stuff, but [not] the
    really sophisticated ways of attacking and moving data."
    It boils down to a spending tug of war, cybersecurity experts said.
    After Sept. 11, my "first priority was to assure the safety and
    security of nuclear weapons, the weapons complex and its employees,
    special nuclear material and other high value assets," NNSA
    Administrator John Gordon wrote in the agency's budget request for
    fiscal 2003.
    Gordon augmented protective forces and established a heightened
    security posture, according to the proposal. In addition, the agency
    formed a task force to recommend immediate improvements and develop an
    action plan for future enhancements.
    The agency received $30 million in supplemental funding, part of which
    went to accelerate the deployment of near-term cybersecurity measures
    at all of its nuclear weapons complex sites, a DOE spokesperson said.
    But "we're still short of funds," the Energy official said.
    At NNSA, security is key. The agency takes a three-layer approach to
    its network architectures, similar to a bull's eye with green, yellow
    and red circles for unclassified/nonsensitive, sensitive and
    classified information, respectively, according to the official.
    Although NNSA tracks and monitors red very well, the source said,
    yellow is weaker because the agency has had to devote its resources to
    the green layer, which has the most open access and limited firewall
    NNSA also doesn't have the funds to continue a project that addresses
    the so-called insider threat, posed by individuals with legitimate
    access to its networks, according to the source.
    It's a threat the agency has dealt with in the past. In 1999,
    scientist Wen Ho Lee was charged with copying secret nuclear
    information from a secure computer at Los Alamos National Laboratory.  
    In a separate case the next year, classified computer drives were
    reported missing and then found at the lab.
    Despite a spate of problems, the alleged money transfer doesn't
    surprise cybersecurity experts. "It's consistent," said Eugene
    Spafford, professor and director of Purdue University's Center for
    Education and Research in Information Assurance and Security. "What we
    don't have enough of, in this realm in particular, is the kind of
    long-term thinking that has occurred in other areas."
    Blaine Burnham, director of the Nebraska University Consortium on
    Information Assurance and a senior research fellow for the University
    of Nebraska at Omaha's College of Information Science and Technology,
    agreed. "Generally, it runs true to form with what has happened to
    cybersecurity budgets over time. It doesn't have the sizzle. Guards
    with big, barking dogs have lots of sizzle.
    "That's not to say that the NNSA hasn't made an introspective analysis
    of where [its] needs are," Burnham said.
    NNSA has asked Congress for $510 million for safeguards and security
    for fiscal 2003, with $72 million set aside for cybersecurity, but
    expects to get $66 million to protect its networks, the DOE official
    said, adding that the agency needs about another $30 million to get
    the job done.
    "There's a lot of turmoil in the federal government in general trying
    to get all security - information and physical - sorted out," said
    Chip Lawson, business development director for Harris Corp.'s
    security-threat avoidance technology network group.
    In a boon to cybersecurity, the Bush administration last month
    released a draft National Strategy to Secure Cyberspace. Some IT
    experts criticized the plan as too weak for not setting specific
    requirements for the public and private sectors.
    DOE officials were unavailable for comment.
    Challenging mission Congress created the National Nuclear Security
    Administration in fiscal 2000 to carry out the Energy Department's
    programs in nuclear weapons, defense nuclear nonproliferation and
    naval reactors. Its facilities include Lawrence Livermore, Los Alamos
    and Sandia national laboratories. "They have possibly the most
    significant information and physical security challenge in the nation,
    if not the world," said Blaine Burnham, who previously held
    information assurance roles at the National Security Agency, Los
    Alamos and Sandia.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 02:43:13 PDT