[ISN] Homeland Cybersecurity Efforts Doubted

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 22:58:57 PST

  • Next message: InfoSec News: "[ISN] Saudi arrested at U of I was studying computer security"

    http://www.securityfocus.com/news/3043
    
    By Michael Fitzgerald
    SecurityFocus 
    March 11 2003 
    
    It's existed for less than two weeks, but analysts are already
    concerned that the newly-formed Department of Homeland Security's
    cybersecurity unit may not grow up to be the powerhouse of efficiency
    and expertise it was billed as.
    
    Nearly every government cybersecurity agency was swept in to the new
    cabinet-level Department's "Directorate of Information Analysis and
    Infrastructure Protection" -- making the new directorate the single
    largest computer security organization the U.S. government has ever
    had.
    
    The Critical Infrastructure Assurance Office (CIAO), formerly part of
    the Department of Commerce, made the move, as did the FBI's National
    Infrastructure Protection Center. The Federal Computer Incident
    Response Center left the General Services Administration to head to
    the DHS. Even the Department of Defense's National Communications
    System, which handles emergency preparedness for telecom, moved to the
    new department.
    
    The DHS also houses the Secret Service, which is expanding its
    cybercrime efforts, adding at least one "Electronic Crime Special
    Agent" to every field office. The service recently upped the number of
    cities with an Electronic Crime Task Force from one (New York) to
    nine, and has developed a National Threat Assessment Center with
    Carnegie-Mellon's CERT/CC.
    
    But despite the number of agencies involved, cybersecurity generally
    seems to have slipped in importance for the Bush Administration. One
    obvious sign is the dramatic decrease in the visibility of the
    National Strategy to Secure Cyberspace. The strategy was trumpeted by
    the White House and taken seriously by industry until its
    anticlimactic release as a draft version, followed by an almost
    unheralded final release on Valentine's Day as a generally toothless
    plan.
    
    Last month the President also abolished the high-level Critical
    Infrastructure Protection Board, which was established after the
    September 11th attacks and run by Richard Clarke, a high-profile
    30-year veteran of government. The board will be reborn inside the
    DHS, but with lower-level people.
    
    Adding to the confusion, President George W. Bush used his State of
    the Union address in January to announce a new Terrorist Threat
    Integration Center, that seems to duplicate at least part of what the
    DHS is supposed to do, coordinating information flow between the DHS,
    FBI, Central Intelligence Agency and the Department of Defense.
    
    "The cybersecurity effort hasn't gotten a lot of support and
    enthusiasm from anywhere," says Will Rodger, director of public policy
    at the Computer and Communications Industry Association (CCIA) in
    Washington, DC. He says the DHS looks like just another federal feint
    at security, with no actual structure, and no consequences for
    failure.
    
    Adding to the lack of clarity is what seems to be a mass exodus by
    many long-time cyber policy influencers. The list of departures is
    headed by Clarke, who spearheaded the National Strategy for Cyberspace
    Security, and was the federal government's most visible cheerleader
    for better network security in and out of government.
    
    
    Tough Job
    
    Brian Stafford also retired as director of the Secret Service, mere
    weeks after he appeared at the National Strategy draft unveiling; he
    was replaced in January by W. Ralph Basham. Ron Dick, director of the
    National Infrastructure Protection Center, retired from that post in
    December, and John Tritak recently left his position as director of
    the CIAO.
    
    Meanwhile, the key cybersecurity role in the DHS, Undersecretary of
    Intelligence Analysis and Infrastructure Protection, remains vacant --
    Gen. James Clapper turned down the Undersecretary job in January.  
    Insiders say Bush's creation of the Terrorist Threat Integration
    Center has killed interest in the position, a significant issue in the
    title-happy Beltway. That leaves Infrastructure Protection as the only
    directorate that does not have at least a named undersecretary.
    
    "In government, committees without leaders might as well not exist,"  
    notes Harris Miller, president of the Information Technology
    Association of America, a tech industry trade group. Miller's vote for
    the neglected post is Howard Schmidt, the former Microsoft CSO who
    took over for Clarke at the White House; Schmidt has been mentioned as
    a potential candidate for the undersecretary's job, though his lack of
    experience in the intelligence world may hurt his chances. Miller says
    that Schmidt can do the job, and if he isn't picked, someone with his
    ability and clout has to be named to it. "Otherwise, we will feel the
    administration has lost its focus on cybersecurity," Miller says. "If
    they don't do that, they're making a mistake."
    
    Miller doesn't want to be overly critical -- it has been less than two
    weeks, after all, and senior Bush Administration officials assure him
    that cyber security remains a priority. "I trust the people there, but
    trust needs to be verified," Miller says. "Right now we're running on
    assurances rather than definite information."
    
    For its part, the DHS points to its recent successful handling of the
    Sendmail flaw as a sign of its effectiveness. But that event was
    handled almost entirely before any of the groups involved were pulled
    into the Department, so the incident cannot be treated as even a minor
    test of the Department's abilities.
    
    Even DHS supporters say that it isn't clear exactly what sort of cyber
    security mandate exists for the Department.
    
    "It's really unsettled," says Jody Westby, president of The Work-IT
    Group in Denver, Colo. Westby is the editor of the American Bar
    Association's new Guide to Combating Cybercrime. She thinks that the
    DHS will improve coordination amongst the government's infrastructure
    players, in part because it has a single CIO, Scott Cooper, working
    across all 22 of its agencies. Westby also thinks that recent
    legislation which guarantees confidentiality for businesses who
    present information about cyberattacks to the DHS might increase
    private-sector cooperation with the Department. But she's concerned
    about a lack of funding for the undersecretary's office. "It has maybe
    $25 million," Westby said. "That's not very much money."
    
    Overall, the new DHS's $37.7 billion budget earmarks only $3 billion
    for cybersecurity, according to Gartner Group's John Pescatore. So the
    Infrastructure Protection directorate, one of five directorates in the
    DHS, appears in line for less than 10 percent of funds.
    
    
    Who ya gonna call?
    
    Observers says the reorganization has muddled the question of where
    victims of cybercrime should go to report an incident. "We tell
    clients to check with legal counsel before getting law enforcement
    involved," said Pescatore, a former Secret Service agent. In part,
    that's to protect corporations from potential backlash from
    shareholders and customers. Pescatore said that even when there was
    good reason to contact law enforcement, "who you go to is tremendously
    unclear."
    
    Indeed, a concerned corporation or citizen could report intrusions to
    the local FBI office, to InfraGard, which was part of NIPC but
    remained with the FBI, to the Secret Service, to the IAIP, or even to
    the new Terrorist Center. In the short term, then, the creation of the
    DHS "seems to have exacerbated confusion," said one former government
    security official, speaking on condition of anonymity.
    
    To be fair, the DHS is an immense undertaking, the biggest government
    reorganization effort since the Department of Defense was created
    after World War II. Such a reorganization will require time.  
    Department secretary Tom Ridge still needs to fill a number of key
    positions across his directorates, and the Department understandably
    needs to make physical security a priority, in anticipation of
    potential terrorist strikes at America.
    
    Most analysts hold out hope that, given time, the DHS may well improve
    the security of the nation's infrastructure. Departed officials may be
    replaced by people with fresh eyes and energies. In particular, a new
    Undersecretary could galvanize efforts at intelligence analysis.  
    Government, too, they say, can't be the only answer -- it can't make
    private companies install patches, or end-users stop clicking on
    attachments. Still, CCIA's Rodger, for one, is wary of what the DHS
    will do for the nation's cybersecurity. "I'd like to say 'hackers
    beware.' I'd like to say the Feds are going to get you. But I can't."
    
    tipsat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 01:33:48 PST