[ISN] Congress slams Homeland Security's tech efforts

From: InfoSec News (alerts@private)
Date: Wed Sep 13 2006 - 23:11:20 PDT


http://news.com.com/Congress+slams+Homeland+Securitys+tech+efforts/2100-1028_3-6115434.html

By Anne Broache
Staff Writer, CNET News.com
September 13, 2006

WASHINGTON--The U.S. Department of Homeland Security on Wednesday 
sustained more bashing of its cybersecurity efforts from politicians and 
government auditors.

In what has become a familiar refrain, a chorus of Republicans and 
Democrats--all from the U.S. House of Representatives panel on 
telecommunications and the Internet--urged the agency to get its act 
together and appoint a long-awaited cybersecurity czar.

Then, at a sparsely attended afternoon hearing here, members of the 
House of Representatives' Homeland Security panel grilled department 
officials about shortcomings in the Homeland Security Information 
Network, which was intended to ease sharing of counterterrorism 
information among federal, state and local investigators.

During the morning hearing, politicians voiced dismay at the 
unsurprising findings of a Government Accountability Office report 
(click for PDF [1]) that was released Wednesday and that had been 
prepared at the committee's request.

"Both government and the private sector are poorly prepared to 
effectively respond to cyberevents," David Powner, the GAO's director of 
information technology management issues, told the politicians.  
"Although DHS has various initiatives under way, these need to be better 
coordinated and driven to closure."

The Department of Homeland Security, which is chiefly responsible for 
coordinating responses to cyberattacks, also has no concrete plan for 
responding to cyberdisasters in partnership with the private sector, 
Powner said.

The department's Under Secretary for Preparedness George Foresman 
adopted a defensive posture throughout the two-hour hearing, which also 
included testimony from the Federal Communications Commission and 
private sector representatives. A similar slate of witnesses, including 
Foresman, was scheduled to testify on the subject before a House 
Homeland Security panel on Wednesday afternoon.

Foresman emphasized that finding someone to fill the post of assistant 
secretary for cybersecurity and telecommunications remains a "top 
priority" for the department. The post has been vacant since its 
creation in July 2005, a situation that has drawn a rash of criticism 
inside and outside the government.

"We are in the final stages of a security process review for a candidate 
we feel is very well-qualified," he said. "We look forward to announcing 
this candidate with Congress very soon."

For a number of politicians, that assurance wasn't good enough. "To have 
gone this long without any attention to this or without having someone 
direct this part of the orchestra is dangerous for this country, I 
think, in plain English," said Rep. Anna Eshoo, a California Democrat. 
"I'm not one to try to hype up fear and all that, but we've placed 
outselves in a real ditch here by not having the administration name 
someone."

Foresman said he would "strenuously object" to the insinuation that 
department has been sitting idle while the post has remained vacant.  
"Had we been in neutral the entire time, I think there would be a grave 
concern, but I think we have been in overdrive all the time," he said.

One example of an action the department has taken was a weeklong mock 
attack called Cyber Storm, he said. The agency on Wednesday released a 
17-page "after-action report" assessing the results of the February 
exercise, which involved more than 100 public and private agencies, 
associations, and corporations from more than 60 locations across five 
countries.

Among the challenges experienced during the exercise, according to the 
report, are an insufficient number of "technical experts" on board to 
"fully leverage the large volume of incident information that was being 
provided;" difficulty figuring who to call within organizations to seek 
help during crises; and lack of a rapid means to assess and 
prioritize--or "triage"--cyber incidents.


Terrorist cyber-attacks?

Fresh off commemorations of the fifth anniversary of the Sept. 11 
attacks earlier this week, some members at the morning hearing seemed 
particularly alarmed by the specter of terrorist-driven cyberincidents.

"Certainly cyberterrorism is something that is likely to be in 
al-Qaida's playbook, and we should be vigilant against such threats,"  
said Rep. Edward Markey, a Massachusetts Democrat who serves as 
co-chairman of the panel.

"Some people probably think they're exempt from the impact of the 
Internet, but you'd almost have to live in a cave to be truly 
unaffected," added Texas Republican Joe Barton, who serves as chairman 
of the influential House Energy and Commerce Committee. A widespread 
disruption on that front, he quipped, "is exactly the outcome envisioned 
by a man who does live in a cave: Osama bin Laden."

That theme continued in the afternoon hearing, convened by a House panel 
on intelligence, information-sharing and terrorism risk assessment.

"If we are not successful in our information-sharing efforts, then we 
are not going to be successful in connecting the dots to protect our 
people and our nation from the possibility of additional attacks,"  
said Connecticut Republican Rob Simmons, the panel's chairman.

The focus of concern was a June 2006 report (click for PDF [2]) from the 
department's Inspector General's Office that found the agency's 
information-sharing network was not performing as intended.

The Department of Homeland Security's Assistant Inspector General Frank 
Deffer outlined a number of those flaws. They included an overly rushed 
schedule for rolling out and expanding the system after DHS inherited 
control of it in 2003; inadequate training and guidance for users on how 
to use it; general mistrust for the secrecy of information shared 
through the portals; and lack of availability of real-time information 
about situations.

During the 2005 London Underground bombings, for instance, "users were 
able to get better information faster by calling personal contacts at 
law enforcement agencies with connections to the London police than by 
using the system," Deffer said. As a result, the system has very few 
active users, he said.

"Taxpayers really should be outraged by what's happened here," Rep.  
Zoe Lofgren, a California Democrat, said of the $50 million undertaking. 
"The program is not only a model of haste and waste, but it's a missed 
opportunity to do things right."

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.

[1] http://www.gao.gov/new.items/d061100t.pdf 
[2] http://www.dhs.gov/interweb/assetlibrary/OIG_06-38_Jun06.pdf



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Wed Sep 13 2006 - 23:23:59 PDT