[ISN] Senate Delay Muddles Security Reporting

From: InfoSec News (isnat_private)
Date: Tue Oct 08 2002 - 00:04:40 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - October 7th 2002"

    By Dennis Fisher 
    October 7, 2002 
    As the bill authorizing the proposed Department of Homeland Security
    languishes in the Senate, government officials are discussing the
    possibility of informally consolidating federal information security
    agencies, according to sources familiar with the plan.
    The effort would take the place, at least temporarily, of more formal
    consolidation spelled out in the Homeland Security proposal, sources
    said. Specifically, the new plan calls for the FBI's National
    Infrastructure Protection Center, the Federal Computer Incident
    Response Center and other organizations to begin meeting on a regular
    basis, weekly perhaps, and share duties and results from their
    operations, they said.
    The move comes amid growing concern among security experts that delays
    in the passing of the bill are hampering sorely needed efforts to
    improve vulnerability reporting and response.
    "I think if [the delay] lasts more than four or five weeks, [the
    informal consolidation] will happen and probably without any
    government edict," said Alan Paller, director of research at The SANS
    Institute, in Bethesda, Md.
    Security experts say the fact that the government is even discussing
    such an idea outside the Homeland Security bill is indicative of how
    much things have changed in Washington.
    "The government after [Sept. 11, 2001] realized that their methods for
    gathering intelligence and sifting it wasn't working," said Kevin
    Nixon, senior director of business strategy on the staff of the chief
    security officer at Exodus, a subsidiary of Cable & Wireless plc.,
    based in London. "They need to use nonconventional methods. It shows
    they're using breakthrough thinking."
    Government officials, particularly Richard Clarke, chairman of the
    President's Critical Infrastructure Protection Board, have said they
    want security researchers to report new vulnerabilities directly to
    the government and no one else, except the affected vendors. But the
    rat's nest of federal security groups and their fuzzy areas of
    responsibility make such reporting difficult.
    What's needed, researchers say, is a single point of contact within
    the government for vulnerability reporting.
    "There's so much overlap with all of them, you never know who to deal
    with," said Dan Ingevaldson, team lead on the X-Force research and
    development team at Internet Security Systems Inc., in Atlanta. "It's
    pretty obvious there's a need [for consolidation of the government's
    In the meantime, however, government officials are urging researchers
    to take care with their discoveries.
    "It is irresponsible when you find a vulnerability to tell everyone in
    the world about it. It is the height of irresponsibility," Clarke said
    this week. "Tell the right people and keep it secret until a patch can
    be distributed."
    The administration - and much of Congress - had hoped to enact the
    Department of Homeland Security bill by Sept. 11. In July, the House
    of Representatives approved a bill supporting the administration's
    vision for the department, but the legislation is stymied in the
    Senate, where a partisan debate over the collective bargaining rights
    of department employees has prevented a vote.
    The Senate had planned to adjourn by the middle of this month in light
    of next month's election, but efforts to bring the Department of
    Homeland Security measure to a vote may keep the chamber in session
    longer and may bring lawmakers back to Washington after the election.  
    At this point, the issue appears sufficiently bogged down to preclude
    a vote before the 107th Congress comes to a close. If that happens,
    debate could begin from scratch when the new Congress convenes in
    As proposed, the Information Analysis and Infrastructure Protection
    section of the Department of Homeland Security would subsume a portion
    of the NIPC, FedCIRC, the Critical Infrastructure Assurance Office at
    the Department of Commerce, the National Communications System at the
    Department of Defense, and the Department of Energy's National
    Infrastructure Simulation and Analysis Center, as well as taking some
    personnel from the Secret Service. Currently, these groups operate
    autonomously, with little information shared among them.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 02:44:32 PDT