Feds Falling Short on Cybersecurity

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/ac2/wp-dyn/A55783-2003Apr8

By Brian Krebs
washingtonpost.com Staff Writer
April 8, 2003

The new Department of Homeland Security lacks the resources and
expertise to execute the core elements of the Bush administration's
cybersecurity plan, the president's former cybersecurity adviser told
Congress today.

In his first appearance on Capitol Hill since leaving the White House
in February, former cybersecurity czar Richard Clarke warned lawmakers
against the "dangerous" tendency to dismiss the consequences of an
attack on the nation's computer networks.

"For many, the cyber threat is hard to understand; no one has died in
a cyberattack, after all, there has never been a smoking ruin for
cameras to see," said Clarke, now a security consultant. "It is the
kind of thinking that said we never had a major foreign terrorist
attack in the United States, so we never would; al Qaeda has just been
a nuisance, so it never will be more than that."

Testifying before a House Government Reform subcommittee, Clarke said
the government should create a National Cybersecurity Center staffed
by top computer security experts. The government also needs a federal
chief information security officer with authority over all federal
agencies, he said.

"Without such an official, departments will continue as they have for
years, vulnerable to cyber intrusion and woefully behind in the
deployment of modern IT security technology," Clarke said.

In October, the General Accounting Office found that all 24 federal
agencies continue to have "significant information security
weaknesses" that expose government computer systems and other networks
to "fraud, misuse and disruption." The House Government Reform
Committee subsequently awarded most federal agencies failing grades
for computer security for the third year in a row.

The White House Office of Management and Budget has authority over IT
security within federal civilian agencies, but Clarke said the office
is understaffed. "[The] OMB has attempted to perform this function
with one or two people buried in their bureaucracy and an interagency
committee of the CIO Council, which lacks both expertise and
authority," he said.

But the OMB official charged with leading President Bush's
e-government agenda said at today's hearing that the administration is
giving just the right amount attention to cybersecurity and that
critics may be expecting too much too soon.

"The [Homeland Security] Department has only been up for several weeks
now, and I think when you see their go-forward plan you'll see how
they've integrated their abilities, and I think you'll see some
innovations to that as well," said Mark Forman.

Government May Face Cybersecurity Brain Drain

Clarke's testimony was echoed at today's hearing by Michael Vatis,
former director of the National Infrastructure Protection Center, one
of five federal cybersecurity divisions recently transferred to the
Homeland Security Department.

Vatis told the House panel that the federal government is now less
prepared to deal with cybersecurity threats than it was a year ago, in
part due to the dismantling of the White House cybersecurity board
that Clarke chaired.

Vatis also said that the lack of a senior administration official
solely in charge of computer security has left "a serious void in
executive branch leadership." He noted that cybersecurity is folded
under Homeland Security's Information Analysis and Infrastructure
Protection division. As long as responsibility for cybersecurity
remains a subset of physical protection, "cyber will continue to get
short shrift," he said.

The former FBI official also testified that the majority of FBI
cybersecurity experts assigned to NIPC did not transfer to the
Homeland Security department, leaving the administration with hundreds
of positions to fill. Given the time it takes to perform background
checks on new employees, Vatis estimated that it will be more than a
year before the department is fully prepared to respond to major
cyberattacks.

Homeland Security department spokesman David Wray said that the agency
has more than 200 positions to fill -- many of them in the cyber
division. But he defended the administration's decision to place one
person in charge of cybersecurity and protecting the safety of vital
physical assets like the telecommunications system and the power grid.

"Obviously we have a different view of that. We think that the two
should be integrated, not standing alone, and what you'll see in our
emerging policy will reflect that," Wray said.

The shifting of responsibility for cybersecurity policy within the
administration has left many in the private sector questioning the
administration's commitment to the issue, at least in the near term,
said Stewart Baker, former general counsel to the National Security
Agency.

But Baker said it may be too soon to ask whether the department is
giving cybersecurity the attention it deserves.

"There's obviously been a pause in attention to this for a lot of
reasons, including the standing up of DHS and the fact that we're in
the middle of a war," Baker said. "But the best time to judge the
administration is three or four months from now when the department is
up and running and leadership is briefed."

Clarke's Recommendations

Clarke, who played a leading role in drafting the White House's
recently released National Strategy to Secure Cyber Space, today
offered several steps he believed the federal government should take
to guard the nation's IT infrastructure.

Clarke recommended that federal workers should be required to use
authentication cards to gain access to agency networks, similar to an
existing program at the Department of Defense. He also said that
Congress should support administration plans to allow companies to
monitor the security of large federal agency networks.

"We kid ourselves if we believe that most departments can operate
24-by-7 command centers to monitor intrusion detection devices and
firewalls," he told the panel.

Clarke also suggested shifting funds for cybersecurity research and
development away from the National Science Foundation in favor of
federally funded national labs like Los Alamos and Lawrence Livermore,
and MITRE Corp., a nonprofit group that works with the Defense Dept.

Last year, Congress passed legislation providing $900 million over
three years for cybersecurity research and development. Clarke urged
lawmakers to authorize funding for the program, even if the
administration does not request the full amount.

The government also should direct the GAO to install sensors in
federal agency networks that continuously scan computers for security
holes, Clarke said. To complement that system, Congress should also
expand a General Services Administration program that provides
software "patches" to fix the most common and serious vulnerabilities,
he added.

Clarke also suggested requiring agencies to outsource responsibility
for IT security, and forcing private companies to provide Congress
with weekly or monthly reports on their progress. Having the ability
to fire or fine companies that perform poorly would be immensely more
productive than berating agency chief information officers before the
committee following the release of the annual GAO report, he said.

Vatis recommended that Congress require publicly-traded companies to
disclose their cybersecurity progress in annual reports to the
Securities and Exchange Commission, similar to the requirements that
were applied to companies in the months leading up to the Y2K
transition.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.