http://www.washingtonpost.com/ac2/wp-dyn/A55783-2003Apr8 By Brian Krebs washingtonpost.com Staff Writer April 8, 2003 The new Department of Homeland Security lacks the resources and expertise to execute the core elements of the Bush administration's cybersecurity plan, the president's former cybersecurity adviser told Congress today. In his first appearance on Capitol Hill since leaving the White House in February, former cybersecurity czar Richard Clarke warned lawmakers against the "dangerous" tendency to dismiss the consequences of an attack on the nation's computer networks. "For many, the cyber threat is hard to understand; no one has died in a cyberattack, after all, there has never been a smoking ruin for cameras to see," said Clarke, now a security consultant. "It is the kind of thinking that said we never had a major foreign terrorist attack in the United States, so we never would; al Qaeda has just been a nuisance, so it never will be more than that." Testifying before a House Government Reform subcommittee, Clarke said the government should create a National Cybersecurity Center staffed by top computer security experts. The government also needs a federal chief information security officer with authority over all federal agencies, he said. "Without such an official, departments will continue as they have for years, vulnerable to cyber intrusion and woefully behind in the deployment of modern IT security technology," Clarke said. In October, the General Accounting Office found that all 24 federal agencies continue to have "significant information security weaknesses" that expose government computer systems and other networks to "fraud, misuse and disruption." The House Government Reform Committee subsequently awarded most federal agencies failing grades for computer security for the third year in a row. The White House Office of Management and Budget has authority over IT security within federal civilian agencies, but Clarke said the office is understaffed. "[The] OMB has attempted to perform this function with one or two people buried in their bureaucracy and an interagency committee of the CIO Council, which lacks both expertise and authority," he said. But the OMB official charged with leading President Bush's e-government agenda said at today's hearing that the administration is giving just the right amount attention to cybersecurity and that critics may be expecting too much too soon. "The [Homeland Security] Department has only been up for several weeks now, and I think when you see their go-forward plan you'll see how they've integrated their abilities, and I think you'll see some innovations to that as well," said Mark Forman. Government May Face Cybersecurity Brain Drain Clarke's testimony was echoed at today's hearing by Michael Vatis, former director of the National Infrastructure Protection Center, one of five federal cybersecurity divisions recently transferred to the Homeland Security Department. Vatis told the House panel that the federal government is now less prepared to deal with cybersecurity threats than it was a year ago, in part due to the dismantling of the White House cybersecurity board that Clarke chaired. Vatis also said that the lack of a senior administration official solely in charge of computer security has left "a serious void in executive branch leadership." He noted that cybersecurity is folded under Homeland Security's Information Analysis and Infrastructure Protection division. As long as responsibility for cybersecurity remains a subset of physical protection, "cyber will continue to get short shrift," he said. The former FBI official also testified that the majority of FBI cybersecurity experts assigned to NIPC did not transfer to the Homeland Security department, leaving the administration with hundreds of positions to fill. Given the time it takes to perform background checks on new employees, Vatis estimated that it will be more than a year before the department is fully prepared to respond to major cyberattacks. Homeland Security department spokesman David Wray said that the agency has more than 200 positions to fill -- many of them in the cyber division. But he defended the administration's decision to place one person in charge of cybersecurity and protecting the safety of vital physical assets like the telecommunications system and the power grid. "Obviously we have a different view of that. We think that the two should be integrated, not standing alone, and what you'll see in our emerging policy will reflect that," Wray said. The shifting of responsibility for cybersecurity policy within the administration has left many in the private sector questioning the administration's commitment to the issue, at least in the near term, said Stewart Baker, former general counsel to the National Security Agency. But Baker said it may be too soon to ask whether the department is giving cybersecurity the attention it deserves. "There's obviously been a pause in attention to this for a lot of reasons, including the standing up of DHS and the fact that we're in the middle of a war," Baker said. "But the best time to judge the administration is three or four months from now when the department is up and running and leadership is briefed." Clarke's Recommendations Clarke, who played a leading role in drafting the White House's recently released National Strategy to Secure Cyber Space, today offered several steps he believed the federal government should take to guard the nation's IT infrastructure. Clarke recommended that federal workers should be required to use authentication cards to gain access to agency networks, similar to an existing program at the Department of Defense. He also said that Congress should support administration plans to allow companies to monitor the security of large federal agency networks. "We kid ourselves if we believe that most departments can operate 24-by-7 command centers to monitor intrusion detection devices and firewalls," he told the panel. Clarke also suggested shifting funds for cybersecurity research and development away from the National Science Foundation in favor of federally funded national labs like Los Alamos and Lawrence Livermore, and MITRE Corp., a nonprofit group that works with the Defense Dept. Last year, Congress passed legislation providing $900 million over three years for cybersecurity research and development. Clarke urged lawmakers to authorize funding for the program, even if the administration does not request the full amount. The government also should direct the GAO to install sensors in federal agency networks that continuously scan computers for security holes, Clarke said. To complement that system, Congress should also expand a General Services Administration program that provides software "patches" to fix the most common and serious vulnerabilities, he added. Clarke also suggested requiring agencies to outsource responsibility for IT security, and forcing private companies to provide Congress with weekly or monthly reports on their progress. Having the ability to fire or fine companies that perform poorly would be immensely more productive than berating agency chief information officers before the committee following the release of the annual GAO report, he said. Vatis recommended that Congress require publicly-traded companies to disclose their cybersecurity progress in annual reports to the Securities and Exchange Commission, similar to the requirements that were applied to companies in the months leading up to the Y2K transition. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Apr 09 2003 - 11:20:04 PDT