[ISN] Tech Group Blasts Federal Leadership on Cyber-Security

From: InfoSec News (isn@private)
Date: Wed Dec 14 2005 - 13:13:34 PST


Forwarded from: Melissa Shapiro <misdemeanor@private>

http://www.washingtonpost.com/wp-dyn/content/article/2005/12/13/AR2005121301294.html

By Brian Krebs
washingtonpost.com Staff Writer
December 13, 2005

A group of leading technology companies today chastised Congress and
the Bush administration for what it characterized as a failure to
support initiatives to fight online crime, saying a lack of leadership
and accountability in this area is endangering U.S. economic and
national security.

The Cyber Security Industry Alliance said the federal government has
largely declined to act on recommendations the group outlined a year
ago, goals that mirrored policies originally set forth in early 2003
by the White House in the "National Strategy to Secure Cyberspace."

Cyber-security as a government priority "has been on a downward slope
and we need to arrest that decline and bring the issue back to the
level [of importance] it was a few years ago," said Paul Kurtz, a
former Bush administration cyber-security official who serves as chief
executive of the alliance. The group's members include such tech
titans as Computer Associates, Entrust, McAfee, RSA Security and
Symantec.

The industry-led criticism comes as the problem of computer- and
Internet-based crime has reached an all-time high. A U.S. Treasury
official said earlier this month that profits that online crooks are
earning through computer crime now rivals that of the global trade in
illegal narcotics. Earlier this year, federal investigators
acknowledged that a series of computer break-ins at several government
and defense technology contracting companies led to the theft of
sensitive documents and intellectual property by Chinese hacker groups
and other foreign governments.

Among the failures cited by the alliance was the lack of a high-level
executive branch official charged with overseeing efforts to secure
government systems and encourage the sharing of information between
government and the private sector on new information security threats.

Last year, Congress directed the Department of Homeland Security to
create such a position within the agency, but the White House has yet
to name a candidate for the post.

The alliance said funding for cyber-security research and development
has remained flat at less than two percent of the federal R&D budget
this year, even though the president's Information Technology Advisory
Committee issued a report last February, "Cyber Security: A Crisis of
Prioritization," concluding that while the U.S. information
infrastructure remains highly vulnerable to terrorist and criminal
attacks, there is little federal budgetary support for research to
protect the digital infrastructure used by the U.S. government and
private sector. The White House dissolved the advisory council without
explanation just a few months after that report was issued.

In addition, the alliance noted that the administration's budget for
DHS-led cyber-security programs was cut by seven percent this year.
The cuts came after the Department of Homeland Security led a list of
seven agencies that received flunking grades for their cyber-security
efforts in 2004, with the federal government at large earning an
overall grade of "D-plus" from a key congressional oversight
committee.

James Lewis, director of the technology and public policy program at
the Center for Strategic and International Studies in Washington, said
many in the private sector are growing weary with the federal
government's lackluster response to the national cyber strategy.

"It's getting kind of old that we're not making progress," Lewis said.

Industry leaders also expressed frustration over the National
Information Assurance Partnership (NIAP), a collaboration between the
National Institute of Standards and Technology and the National
Security Agency to test the security and reliability of commercial
software destined for use in federal information systems. Software
vendors have long complained that the NIAP certification process is
unnecessarily lengthy and costly. The Department of Defense and DHS
recently concluded a study of the program's effectiveness, but those
findings have not yet been released to the public.

Alan Paller, director of research for the Bethesda, Md.-based SANS
Institute, said some federal agencies deserve praise for using their
buying power to convince hardware and software vendors to deliver more
secure products. But Paller said he's become alarmed at the culture of
secrecy that has paralyzed the government from taking action to
correct serious security vulnerabilities that remain widespread in
federal government networks.

"The only leadership I see right now on this issue in the federal
government is in trying to hide attacks that have been successful,"
Paller said. "If senior management [in federal civilian agencies] can
avoid letting the public know that the attacks are happening, they
don't have an incentive to protect those systems."

Kurtz said the federal government deserves credit for making
incremental progress on some cyber-security fronts, such as funding
tests of the resiliency and security of critical digital networks that
run the air traffic control system, power grids, financial systems and
military and intelligence networks.

Kurtz also praised the Senate Foreign Relations Committee's recent
recommendation that the full Senate vote on whether to ratify the
Council of Europe's Convention on Cyber Crime, which he said should
help U.S. law enforcement agencies better find and prosecute online
crooks based abroad. Congress also is debating several consumer
privacy and data breach notification bills intended to help consumers
victimized by identity theft and online fraud.

Andy Purdy, acting director of the DHS's National Cyber Security
Division, said his office is working with the White House to find the
most qualified person for the new cyber-security post, but he
cautioned that the job may remain unfilled for several more months.

"We believe the selection of that person -- in terms of the message it
sends to help highlight the commitment of the administration to
reducing cyber risk -- is a very important one and we don't want to
rush it," he said.

Purdy said he believes the president's budget is sufficient to
accomplish the goals laid out in the national strategy and
acknowledged "the importance and seriousness of raising federal agency
scores on internal cyber security.

"While the grades are not what we'd like to see, we believe there is
sustained progress and we are encouraged by that progress and we are
continuing to work closely with those agencies," Purdy said.

He also defended the administration's record on implementing key
portions of the White House cyber-security strategy.

"We've made tremendous progress," Purdy said. "But we also recognize
that in the need to formalize how we work with the private sector so
that we can have the ongoing, sustained collaboration -- not just
information sharing -- we have a long way to go."



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Wed Dec 14 2005 - 19:13:08 PST