[ISN] DHS gives itself a 'C' for cybersecurity

From: InfoSec News (alerts@private)
Date: Fri Feb 29 2008 - 01:20:42 PST


http://www.govexec.com/story_page.cfm?articleid=39393

By Jill R. Aitoro  
Govexec.com  
February 28, 2008  

The top ranking official in the Homeland Security Department's national 
protection division called the agency's efforts in cybersecurity 
satisfactory, assigning a grade of 'C' during congressional testimony 
Thursday. But members of Congress called the grade inadequate, 
emphasizing the need for better collaboration with agency technology 
leaders, real-time response to system attacks, and metrics that measure 
the ability to protect networks from specific threats rather than system 
compliance.

DHS officials didn't reveal too many specifics regarding the much 
anticipated but highly classified initiative during a hearing before the 
House Homeland Security Committee. Robert Jamison, undersecretary for 
national protection and programs directorate at DHS, described plans to 
enhance federal cyber-situational awareness, intrusion detection, 
information sharing and response capabilities.

The primary means of accomplishing these goals will be the trusted 
Internet connections initiative, which aims to reduce the number of 
federal connections to networks outside the firewall, and Einstein, a 
system that monitors agency networks using an automated process for 
collecting, correlating, analyzing and sharing computer security 
information with the U.S. Computer Emergency Readiness Team, or US-CERT. 
So far, 15 agencies have deployed Einstein.

"The threat is real," Jamison said. "Our adversaries are adept at hiding 
attacks in normal everyday traffic that comes across the network. The 
only true way to protect networks is intrusion detection."

The total budget for the comprehensive initiative has not been 
confirmed, but reports estimate related funds to be in the billions. DHS 
requested $294 million in its fiscal year 2009 budget for cybersecurity, 
most of which will go to continued deployment of Einstein. While DHS 
will lead much of the initiative, individual agencies will be 
responsible for aspects of cybersecurity efforts, and the Office of 
Management and Budget will help enforce system compliance across the 
federal government.

When asked how he would grade DHS in its response to cybersecurity 
threats, Jamison gave the department "a solid 'C'," which members of 
Congress called unsatisfactory.

"I would say 'C' is an [accurate] score, but absolutely unacceptable, 
because they're supposed to lead by example," said Alan Paller, director 
of research at the SANS Institute, a nonprofit cybersecurity research 
organization in Bethesda, Md.

Among the problems that lawmakers noted is the tendency by agencies to 
leave in the dark those charged with protecting networks. Threat 
analysis conducted by DHS and other national security agencies is 
largely classified, and therefore not disclosed to chief information 
officers. Jamison said that efforts to improve situational awareness -- 
by consolidating the number of external Internet connections and 
improving intrusion detection -- will increase the amount of information 
available to agency CIOs.

Both Republicans and Democrats in Congress also stressed the need to 
move away from a reactionary strategy. Einstein, for example, tracks IP 
addresses, the size of data packets and where information is flowing 
network to network, but is largely passive. Information needs to be 
routinely downloaded and analyzed to detect patterns, malicious 
addresses and any suspicious activities. Planned enhancements to 
Einstein will allow real-time response to threats, Jamison said, by 
finding harmful code and alerting system administrators when intruders 
attempt access.

"I've been sitting here with my mouth open," said Rep. Jane Harman, 
D-Calif. "While all of you are well-meaning, the fact that you don't 
have threat information and are working on projects that will take years 
to complete is shocking. If we're serious about these threats, we're not 
being serious about response."

Karen Evans, OMB administrator of electronic government and information 
technology, hinted at new metrics for gauging the ability of agency 
networks to combat threats. Certification and accreditation of systems, 
currently the primary means of measuring agency compliance with 
cybersecurity efforts, allows agencies to do inventory of what they have 
in place, while future metrics will test for vulnerabilities.

"When we first started this process ... agencies didn't know what they 
didn't know," Evans said, loosely quoting a statement made by former 
Homeland Security CIO, Scott Charbo, during a June 2007 congressional 
hearing on the same topic. Charbo, who is now the DHS deputy 
undersecretary of the National Protection and Programs Directorate, also 
testified at Thursday's hearing.

"Certification and accreditation is a soup-to-nuts process," Evans said. 
"[Now] we have to move to the next level where we're actually achieving 
a result rather than doing a paper exercise."

New metrics need to measure how well agencies can withstand known 
attacks, Paller said.

"The biggest mistake of the last 10 years has been that people kept 
attacks secret; it caused the government to fall behind. Now that we 
know better, let's measure systems not on the hypothetical, but on 
what's real."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Feb 29 2008 - 01:46:30 PST