Nation's Cyber Plan Outdated, Lawmakers Told
The nation's plan and policies for protecting its critical online infrastructures is severely outdated and flawed, experts told lawmakers Wednesday at a House subcommittee hearing.
"Demanding report cards, legislating under the influence of adrenaline, imagining that cyber-security is an end rather than merely a means -- all these and more inevitably prolong a world in which we are procedurally correct but factually stupid," said Daniel Geer, a principal at Geer Risk Services and a biostatistician, in written testimony.
The meeting followed a hearing last week where lawmakers reviewed the grades given to federal government agencies and departments for efforts to secure their information technology networks.
Rep. James Langevin (D-R.I.), who chairs the House Homeland Security subcommittee, in his opening statement said he was troubled with administration efforts on cyber security and questioned its prudence of funding cuts of the Homeland Security Department's science and technology directorate.
Although the department's science and technology unit was slated to receive $22.7 million for fiscal 2007, it is only funded the division at $13 million, the Rhode Island Democrat noted.
Jim Lewis, a security expert with the Center for Strategic and International Studies, told the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee that the nation's current national cyber strategy is outdated.
The 2003 plan "shifted too much of the burden for security to the private sector and did not resolve key issues regarding responsibility within the government," he said, adding that a new, comprehensive strategy would need to address issues such as streamlining how many interagency groups and committees work on the same cyber issues.
"The U.S. does not need a new White House cyber czar, but it does need to do more to direct and coordinate efforts by the various agencies," he said. Lewis lauded the recent creation of a cyber-security policy coordinating committee at the National Security Council as an important first step.
Rep. Bennie Thompson, the Mississippi Democrat who chairs the full Homeland Security Committee, said he was concerned that department Secretary Michael Chertoff said in last week's hearing that coordinating better cyber-security practices across the government was a top priority when it took him so long to appoint an assistant secretary of cyber-security and the department's chief information officer recently got a "D" for its internal cyber-security efforts.
Sami Saydjari, president of the nonprofit Professionals for Cyber Defense, urged lawmakers in written testimony to consider cyber-space as a new territory that must be defended as a primary controller of the nation's real-world assets.
"The U.S. is vulnerable to a strategically crippling cyber-attack from nation-state-class adversaries," said Saydjari, who also worked at the National Security Agency and the Defense Advanced Research Projects Agency.
He suggested that Congress offer $500 million to start a "Cyber Manhattan Project" that would be run by the country's top experts to help mitigate the rise of these foes. He envisioned the fund eventually would grow to multiple billions of dollars.
"Indications are that national economic devastation is quite possible, and when we're in the middle of the disaster isn't the time to start thinking about how to respond," he said, adding that preparing for cyber war will take more than three years and require infrastructure for critical computer systems, experienced defenders and a national program.
Both Saydjari and Lewis addressed the threat of espionage, with Lewis calling cyber espionage the greatest current threat to the United States.
Douglas Maughan with DHS's Science and Technology Directorate, characterized the Internet as the central nervous system of the nation's governments, citizens and industries.
"When it is attacked, the effects can ripple far and wide," he said.
Maughan noted that the Internet was developed to provide "essential minimum communications" in the event of a nuclear attack and was not designed with security in mind. He noted that in addition to the Internet, many technologies in widespread use today -- such as cell phones, wireless networks and personal digital assistants -- are vulnerable to malicious attacks.
"Attacks on these technologies have forced us into a defensive posture, and the financial costs are significant," he said. "Attackers can reach our business and government systems through the maze of networks connected by the Internet."
washingtonpost.com's Sharon Mcloone helped report this blog post.
By Brian Krebs |
April 26, 2007; 5:00 AM ET
From the Bunker
Previous: Virus Writers Taint Google Ad Links |
Next: Lawmakers Aim to Crack Down on Caller ID Spoofing
Posted by: Don O'Neill | April 26, 2007 11:03 AM
Insightful article, excellent reporting
Posted by: Jason Birdsong | April 26, 2007 12:39 PM
I couldn't agree more with Don O' Neill's conclusion. Rather than treating customers like 'churn and burn' lemmings, businesses must internalize and promulgate customer interest throughout the organization. Balancing these objectives is difficult, but not impossible. Business interests (revenue growth) usually predominate, unless brand outrage (such as dead customers) materializes which forces a change in organizational behavior.
As globalization accelerates, operational resiliency and the resilient enterprise is likely to be sacrificed to remain competitive. Product choices will diminish and inconvenience from compromised systems will multiply.
Long gone are the days of disciplined, accountable, and professional execution on behalf of the product, customer, and organization. Gordon Gecko lives.
Posted by: colonelklink | April 27, 2007 1:07 AM
Security is a process and not a product, organizations must take a defense in depth approach to not only their technical solution must there operational solutions also. A standardized IA operational framework that includes the boots on the ground needs to be developed, standardized, role-based and deployed to your enterprise environment. You have to think of the solution like a mountain , IA will always be in a constant corrective action state as long as the authority continue to politic at the top of the mountain while the users and data owners suffer at the bottom.
Posted by: Adam Meyer | April 27, 2007 12:14 PM
Classified networks are not connected to the Internet, and usually require crypto devices for every communications line leaving or entering a node. Gateways have been implemented to allow interconnections between different levels of classification, a risky but highly regulated, filtered, and limited type of connection, with heavily audited and logged communication.
The Internet was not designed as a secure medium, and NO sensitive information should ever be exposed to it.
Encryption at both ends of a connection is NOT a secure connection when the encryption is performed on a host machine at either or both ends. Host-based encryption may provide a more secure connection, but if ALL external connections aren't encrypted, at BOTH ends, the security can only be as good as the least secure connection (network, MAC, TCP, UDP,...).
The above may appear to rule out using the Internet as a secure connection, and that is true. If a host is compromised encryption is meaningless.
One or two hardware-based encryption devices, external to the host, can provide some level of security, but only if there are NO other unsecure connections, or connection methods, between that host and any other.
The (your) lowest level of security establishes the basic security level of an Intra-net, whose connections may include LAN, WAN, shared disks/files, etc. if any are unsecure, all must be assumed to be. In reverse, if you are connected to an unsecure network (the Internet), you can be/are unsecure, and thus any other network or device may also be unsecure.
A simple test you can make is at a command prompt, enter "netstat -a" and a list of all CURRENT connections are displayed. You might be surprised at the number of EXTERNAL IPs shown, which are BEFORE a "secure" connection is made. Do it again during a secure connection, and keep in mind that many spyware/ad monitoring programs also have access to those connections, including the secure ones.
The only solution is to NEVER allow unsecure access to sensitive data. If YOU can connect to the Internet, IT can connect to YOU.
Posted by: Gary Drummond | April 27, 2007 1:08 PM
thank you very nice topic, thanks :)
Posted by: evden eve nakliye | April 30, 2007 10:23 AM
The comments to this entry are closed.
The current Cyber Security approaches commonly advocated and deployed by industry and government managers are limited to basic management, routine process, and commoditized technology bundles packaged and labeled as defense in depth. While perhaps necessary, these tactics do not rise to the level of the strategic engineering solutions needed to deliver continuity for business processes and supplier and product sources, survivability for enterprise systems, and resiliency under stress for the system of systems in the critical infrastructure.
Safeguarding the nation's critical infrastructure remains an incomplete challenge. While much is known about systems and obtaining intellectual control through completeness, correctness, and consistency arguments, not enough is known about systems of systems, the design of control mechanisms, and their actuation during crisis. Resiliency under stress is trustworthiness under all circumstances of use. In order to be secure now, the immediate thrust to combat Cyber Security impacts needs to shift away from the impossible task of controlling threats and vulnerabilities with a software workforce that has proven not up to the task to the necessary engineering challenge of assuring resilience throughout the nation's critical infrastructure.
The Maturity Framework for Assuring Resiliency Under Stress is intended to drive the business case and enterprise commitment towards the assurance of software security, business continuity, system survivability, and system of systems resiliency. Achieving maturity in the assurance of resiliency throughout the critical infrastructure will help safeguard the nation's critical infrastructure.
Demonstrating assurance is accomplished through business, technical, and operational claims spanning management, process, and engineering arguments. An enterprise claiming to have achieved maturity in assuring enterprise resiliency under stress is expected to present correct and complete arguments that justify belief in the claim along with clear and convincing evidence buttressing each argument.