http://www.eweek.com/article2/0,3959,598611,00.asp By Dennis Fisher October 7, 2002 As the bill authorizing the proposed Department of Homeland Security languishes in the Senate, government officials are discussing the possibility of informally consolidating federal information security agencies, according to sources familiar with the plan. The effort would take the place, at least temporarily, of more formal consolidation spelled out in the Homeland Security proposal, sources said. Specifically, the new plan calls for the FBI's National Infrastructure Protection Center, the Federal Computer Incident Response Center and other organizations to begin meeting on a regular basis, weekly perhaps, and share duties and results from their operations, they said. The move comes amid growing concern among security experts that delays in the passing of the bill are hampering sorely needed efforts to improve vulnerability reporting and response. "I think if [the delay] lasts more than four or five weeks, [the informal consolidation] will happen and probably without any government edict," said Alan Paller, director of research at The SANS Institute, in Bethesda, Md. Security experts say the fact that the government is even discussing such an idea outside the Homeland Security bill is indicative of how much things have changed in Washington. "The government after [Sept. 11, 2001] realized that their methods for gathering intelligence and sifting it wasn't working," said Kevin Nixon, senior director of business strategy on the staff of the chief security officer at Exodus, a subsidiary of Cable & Wireless plc., based in London. "They need to use nonconventional methods. It shows they're using breakthrough thinking." Government officials, particularly Richard Clarke, chairman of the President's Critical Infrastructure Protection Board, have said they want security researchers to report new vulnerabilities directly to the government and no one else, except the affected vendors. But the rat's nest of federal security groups and their fuzzy areas of responsibility make such reporting difficult. What's needed, researchers say, is a single point of contact within the government for vulnerability reporting. "There's so much overlap with all of them, you never know who to deal with," said Dan Ingevaldson, team lead on the X-Force research and development team at Internet Security Systems Inc., in Atlanta. "It's pretty obvious there's a need [for consolidation of the government's personnel]." In the meantime, however, government officials are urging researchers to take care with their discoveries. "It is irresponsible when you find a vulnerability to tell everyone in the world about it. It is the height of irresponsibility," Clarke said this week. "Tell the right people and keep it secret until a patch can be distributed." The administration - and much of Congress - had hoped to enact the Department of Homeland Security bill by Sept. 11. In July, the House of Representatives approved a bill supporting the administration's vision for the department, but the legislation is stymied in the Senate, where a partisan debate over the collective bargaining rights of department employees has prevented a vote. The Senate had planned to adjourn by the middle of this month in light of next month's election, but efforts to bring the Department of Homeland Security measure to a vote may keep the chamber in session longer and may bring lawmakers back to Washington after the election. At this point, the issue appears sufficiently bogged down to preclude a vote before the 107th Congress comes to a close. If that happens, debate could begin from scratch when the new Congress convenes in January. As proposed, the Information Analysis and Infrastructure Protection section of the Department of Homeland Security would subsume a portion of the NIPC, FedCIRC, the Critical Infrastructure Assurance Office at the Department of Commerce, the National Communications System at the Department of Defense, and the Department of Energy's National Infrastructure Simulation and Analysis Center, as well as taking some personnel from the Secret Service. Currently, these groups operate autonomously, with little information shared among them. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 02:44:32 PDT