[ISN] Fed Agencies Asleep at the Wheel

From: InfoSec News (isnat_private)
Date: Thu Apr 03 2003 - 22:53:51 PST

  • Next message: InfoSec News: "[ISN] Latest Apache release fixes DOS vulnerability"

    http://www.wired.com/news/politics/0,1283,58327,00.html
    
    By Noah Shachtman
    April 03, 2003
    
    This is how ill-prepared the federal government is to protect itself 
    against terrorist attacks: Many of its agencies don't even know which 
    buildings and computer networks to defend. 
    
    In 1998, the Clinton administration ordered the Departments of Energy, 
    Commerce, and Health and Human Services, as well as the Environmental 
    Protection Agency, to each come up with a list of crucial equipment, 
    buildings and information technology that must be protected under any 
    circumstance. 
    
    But nearly five years later -- and more than 18 months after Sept. 11 
    -- none of these agencies has completed its list, according to a 
    report released Wednesday by the Government Accounting Office, 
    Congress' investigative arm. And none of the agencies has 
    comprehensive plans for keeping these assets safe. 
    
    "For most of us, this would seem to be a matter of common sense," said 
    Ken Johnson, a spokesman for the House Energy Committee. "But these 
    agencies still aren't taking the threat of terrorism seriously enough. 
    In our own homes, we know the things that are most valuable to us. 
    It's not unreasonable to ask these departments to do the same." 
    
    How would the Energy Department keep tabs on the country's stockpile 
    of nuclear weapons if a truck bomb rammed into its headquarters? What 
    labs would need to be secured if a nuclear "dirty bomb" went off near 
    the Centers for Disease Control and Prevention in Atlanta? What 
    financial databases would have to be maintained if hackers broke into 
    the Commerce Department's computers? These are the sorts of questions 
    the agencies are supposed to be asking themselves. 
    
    "In military terms, these would be the 'command and control' 
    structures -- the things needed to maintain continuity of operations 
    if their headquarters were gone or inaccessible," said Phil Anderson, 
    a senior fellow at the Center for Strategic and International Studies. 
    
    The idea behind the Clinton directive was that the departments clearly 
    can't protect all their assets equally. So they should concentrate 
    their resources on the areas that matter most -- the "assets, nodes 
    and networks that, if incapacitated or destroyed, would jeopardize the 
    nation's survival" or "have a serious, deleterious effect on the 
    nation at large," according to the GAO report. 
    
    But the agencies haven't complied with the executive branch directive. 
    Instead, the GAO report alleges, they're relying on years-old defense 
    plans "focused on protecting hundreds of assets considered essential 
    to the agencies' missions, rather than focusing on those assets that 
    are critical to the nation." 
    
    The departments seem to be in no hurry to settle on which areas are 
    the most essential. 
    
    "It could take years for these agencies to complete their analyses for 
    all critical assets at their current pace," the report (PDF) said. 
    
    In written comments submitted to the GAO, the Department of Health and 
    Human Services vigorously disagreed with this assessment. The agency 
    said it identified its assets "more than two years ago," and is 
    currently reviewing them again. Representatives from the other 
    agencies investigated either refused to comment or did not return 
    calls. 
    
    The Center for Strategic and International Studies' Anderson isn't 
    surprised the agencies haven't finished their assessments. Large 
    federal bureaucracies take time to build up speed on an issue, he 
    said. And before Sept. 11, reasons for these agencies to hustle on 
    security matters were not pressing. 
    
    "How much motivation can there be when you don't believe you're at 
    risk?" he said. 
    
    Equally slow to develop are the ties between these federal agencies 
    and the private sector. Commercial interests are responsible for more 
    than 80 percent of the country's so-called critical infrastructure -- 
    power plants, dams and the like. So it's vital that business and 
    government exchange information about possible weaknesses and possible 
    threats. 
    
    Right now, however, this information is brokered through a dozen 
    different Information Sharing and Analysis Centers, known as ISACs, 
    each representing a different industry. 
    
    But these groups aren't living up to their names, because they're not 
    actually sharing what they know with the government, according to the 
    GAO report. 
    
    If they do, the ISACs reason, then the information can be released to 
    the public under the Freedom of Information Act, which gives 
    journalists and private citizens access to federal material that's not 
    classified. And that could be dangerous, industry leaders said. 
    
    "If we do a vulnerability assessment at one of our facilities, we'll 
    share it with the other (industry) players, but not with the Energy 
    Department," said Bobby Gillham, global security manager for 
    ConocoPhillips and chairman of the Energy ISAC. "We don't want it to 
    get on some website and be a roadmap for some terrorist." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 01:31:04 PST