[ISN] Ex-cybersecurity chief calls on feds to step up efforts

From: InfoSec News (isn@private)
Date: Thu Nov 11 2004 - 01:39:27 PST


http://www.govexec.com/dailyfed/1104/111004tdpm1.htm

By William New
National Journal's Technology Daily
November 10, 2004 

While progress is being made in the nation's efforts to ensure the
security of its cyber assets, a revolution is needed in the federal
government's thinking in order to win the "cat and mouse game" with
cyber attackers, a former senior cybersecurity official said
Wednesday.

"The government doesn't know what its IT assets are," said Amit Yoran,
who resigned as director of the Homeland Security Department's
cybersecurity division last month. He added that the government is
much like large multinational organizations, where cybersecurity
awareness does not cut across all divisions.

A recognized private-sector expert, Yoran said he tried to address the
problem during his one-year stint at Homeland Security. By the time he
left, he said the department had made progress in mapping which of the
127 federal entities are responsible for what parts of the
government's cyber assets. His office found that there are 5,700
different "network blocks" across government.

The division also began asking about agencies' Internet exposure in
order to understand the risks. But scanning the 5,700 networks for
that exposure is "a Herculean effort" and is ongoing, he said. Yoran
spoke at a conference sponsored by the Computer Security Institute.

Generally, Yoran said the government's risk assessments appear to be
largely based on consultants' reports rather than on an actual
examination of the systems. His vision for the government is to use
the government-wide knowledge of risks to take more coordinated,
effective security steps.

There are "pockets" of top-flight cybersecurity skill within the
government, Yoran said, and they need to be pulled together. Doing so
will be fundamental to getting buy-in from the private sector, which
owns about 80 percent of the nation's critical infrastructure, he
added.

Yoran said the future is bright for cybersecurity, especially for
making more secure software. "We are still at the very early stages of
cybersecurity," he said. A new way of thinking is ushering in the next
generation of technologies, and the government needs to be out front
in encouraging that transformation, he said.

"We really need to revolutionize how we think about cybersecurity,"  
Yoran said. "In three years time, there will be no definable
perimeters on our systems." The typical systems, such as firewalls and
intrusion-detection systems, will not be efficient any longer, he
predicted.

"You won't be able to protect or own all of the information you are
providing to your customers," Yoran said. "In many cases, you won't
even be able to identify where the data resides."

Yoran's departure from the division caused concern among industry and
in parts of the government that cyber security is not sufficiently
high-profile in the government. He declined to comment on how the
position should be structured, except to say that there should be
sufficient access to senior-level decision-makers and that the person
should have solid political skills.

Yoran also said that while there is great experience at Homeland
Security in physical security, "the same is not true for
cybersecurity."



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Thu Nov 11 2004 - 03:14:18 PST