[ISN] Feds Falling Short on Cybersecurity

From: InfoSec News (isnat_private)
Date: Wed Apr 09 2003 - 03:22:06 PDT

  • Next message: InfoSec News: "[ISN] Intelligence ops in Baghdad show need for physical security back home"

    http://www.washingtonpost.com/ac2/wp-dyn/A55783-2003Apr8
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    April 8, 2003
    
    The new Department of Homeland Security lacks the resources and
    expertise to execute the core elements of the Bush administration's
    cybersecurity plan, the president's former cybersecurity adviser told
    Congress today.
    
    In his first appearance on Capitol Hill since leaving the White House
    in February, former cybersecurity czar Richard Clarke warned lawmakers
    against the "dangerous" tendency to dismiss the consequences of an
    attack on the nation's computer networks.
    
    "For many, the cyber threat is hard to understand; no one has died in
    a cyberattack, after all, there has never been a smoking ruin for
    cameras to see," said Clarke, now a security consultant. "It is the
    kind of thinking that said we never had a major foreign terrorist
    attack in the United States, so we never would; al Qaeda has just been
    a nuisance, so it never will be more than that."
    
    Testifying before a House Government Reform subcommittee, Clarke said
    the government should create a National Cybersecurity Center staffed
    by top computer security experts. The government also needs a federal
    chief information security officer with authority over all federal
    agencies, he said.
    
    "Without such an official, departments will continue as they have for
    years, vulnerable to cyber intrusion and woefully behind in the
    deployment of modern IT security technology," Clarke said.
    
    In October, the General Accounting Office found that all 24 federal
    agencies continue to have "significant information security
    weaknesses" that expose government computer systems and other networks
    to "fraud, misuse and disruption." The House Government Reform
    Committee subsequently awarded most federal agencies failing grades
    for computer security for the third year in a row.
    
    The White House Office of Management and Budget has authority over IT
    security within federal civilian agencies, but Clarke said the office
    is understaffed. "[The] OMB has attempted to perform this function
    with one or two people buried in their bureaucracy and an interagency
    committee of the CIO Council, which lacks both expertise and
    authority," he said.
    
    But the OMB official charged with leading President Bush's
    e-government agenda said at today's hearing that the administration is
    giving just the right amount attention to cybersecurity and that
    critics may be expecting too much too soon.
    
    "The [Homeland Security] Department has only been up for several weeks
    now, and I think when you see their go-forward plan you'll see how
    they've integrated their abilities, and I think you'll see some
    innovations to that as well," said Mark Forman.
    
    Government May Face Cybersecurity Brain Drain
    
    Clarke's testimony was echoed at today's hearing by Michael Vatis,
    former director of the National Infrastructure Protection Center, one
    of five federal cybersecurity divisions recently transferred to the
    Homeland Security Department.
    
    Vatis told the House panel that the federal government is now less
    prepared to deal with cybersecurity threats than it was a year ago, in
    part due to the dismantling of the White House cybersecurity board
    that Clarke chaired.
    
    Vatis also said that the lack of a senior administration official
    solely in charge of computer security has left "a serious void in
    executive branch leadership." He noted that cybersecurity is folded
    under Homeland Security's Information Analysis and Infrastructure
    Protection division. As long as responsibility for cybersecurity
    remains a subset of physical protection, "cyber will continue to get
    short shrift," he said.
    
    The former FBI official also testified that the majority of FBI
    cybersecurity experts assigned to NIPC did not transfer to the
    Homeland Security department, leaving the administration with hundreds
    of positions to fill. Given the time it takes to perform background
    checks on new employees, Vatis estimated that it will be more than a
    year before the department is fully prepared to respond to major
    cyberattacks.
    
    Homeland Security department spokesman David Wray said that the agency
    has more than 200 positions to fill -- many of them in the cyber
    division. But he defended the administration's decision to place one
    person in charge of cybersecurity and protecting the safety of vital
    physical assets like the telecommunications system and the power grid.
    
    "Obviously we have a different view of that. We think that the two
    should be integrated, not standing alone, and what you'll see in our
    emerging policy will reflect that," Wray said.
    
    The shifting of responsibility for cybersecurity policy within the
    administration has left many in the private sector questioning the
    administration's commitment to the issue, at least in the near term,
    said Stewart Baker, former general counsel to the National Security
    Agency.
    
    But Baker said it may be too soon to ask whether the department is
    giving cybersecurity the attention it deserves.
    
    "There's obviously been a pause in attention to this for a lot of
    reasons, including the standing up of DHS and the fact that we're in
    the middle of a war," Baker said. "But the best time to judge the
    administration is three or four months from now when the department is
    up and running and leadership is briefed."
    
    Clarke's Recommendations
    
    Clarke, who played a leading role in drafting the White House's
    recently released National Strategy to Secure Cyber Space, today
    offered several steps he believed the federal government should take
    to guard the nation's IT infrastructure.
    
    Clarke recommended that federal workers should be required to use
    authentication cards to gain access to agency networks, similar to an
    existing program at the Department of Defense. He also said that
    Congress should support administration plans to allow companies to
    monitor the security of large federal agency networks.
    
    "We kid ourselves if we believe that most departments can operate
    24-by-7 command centers to monitor intrusion detection devices and
    firewalls," he told the panel.
    
    Clarke also suggested shifting funds for cybersecurity research and
    development away from the National Science Foundation in favor of
    federally funded national labs like Los Alamos and Lawrence Livermore,
    and MITRE Corp., a nonprofit group that works with the Defense Dept.
    
    Last year, Congress passed legislation providing $900 million over
    three years for cybersecurity research and development. Clarke urged
    lawmakers to authorize funding for the program, even if the
    administration does not request the full amount.
    
    The government also should direct the GAO to install sensors in
    federal agency networks that continuously scan computers for security
    holes, Clarke said. To complement that system, Congress should also
    expand a General Services Administration program that provides
    software "patches" to fix the most common and serious vulnerabilities,
    he added.
    
    Clarke also suggested requiring agencies to outsource responsibility
    for IT security, and forcing private companies to provide Congress
    with weekly or monthly reports on their progress. Having the ability
    to fire or fine companies that perform poorly would be immensely more
    productive than berating agency chief information officers before the
    committee following the release of the annual GAO report, he said.
    
    Vatis recommended that Congress require publicly-traded companies to
    disclose their cybersecurity progress in annual reports to the
    Securities and Exchange Commission, similar to the requirements that
    were applied to companies in the months leading up to the Y2K
    transition.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 09 2003 - 11:20:04 PDT