[Infowarrior] - Task force aims to improve US cybersecurity

[Richard Forno]

http://www.theregister.co.uk/2007/11/02/us-cybersecurity_task_force/
Task force aims to improve US cybersecurity
By Robert Lemos, SecurityFocus
Published Friday 2nd November 2007 21:23 GMT

A blue-ribbon panel of three dozen security experts hopes to craft a
strategy to improve the United States' cybersecurity by the time the next
president takes office, the Center for Strategic and International Studies
(CSIS), and the task force's Congressional sponsors, announced on Tuesday.

The bipartisan Commission on Cyber Security for the 44th Presidency will be
tasked with creating a plan to secure the nation's computers and critical
infrastructure and presenting that plan to the next president. The task
force is headed by Representatives Jim Langevin (D-RI) and Michael McCaul
(R-TX), Microsoft's vice president for Trustworthy Computing Scott Charney
and retired Navy admiral Bobby Inman.

The commission will have at least four major meetings over the next year to
hash out an agenda, investigate the issues and make recommendations, James
Lewis, senior fellow at the Center for Strategic and International Studies
(CSIS), which is funding the commission.

"This is not a tech focus; it is a Washington focus," Lewis said. "You
always have an opportunity, when a new administration comes in, to do some
quick fixes and that is what we are trying to do with this commission."

Cybersecurity has not been a major priority for past administrations. In
1998, President Clinton signed Presidential Decision Directive No. 63
(http://www.securityfocus.com/news/164), which required agencies to take
steps to protect eight critical infrastructures.

In 2000, the Clinton Administration unveiled its National Plan to Protect
Critical Infrastructure
(http://www.news.com/Clinton-launches-plan-to-protect-IT-infrastructure/2100
-1023_3-235352.html?tag=item), but failed to fund
(http://www.securityfocus.com/news/85) critical programs to push federal
agencies to secure their systems.

While many of those agencies have slowly improved their security compliance
scores (http://www.securityfocus.com/news/11458) under the Federal
Information System Management Act (FISMA) of 2002, the Bush Administration
has also largely failed (http://www.securityfocus.com/brief/605) to create
strong recommendations or requirements to improve cybersecurity.

This year, the House Subcommittee on Emerging Threats, Cyber Security and
Science and Technology has taken an increasing interest
(http://www.securityfocus.com/news/11472) in federal agencies' failure to
protect themselves against online attacks.

The Department of State acknowledged
(http://www.securityfocus.com/brief/250) in June 2006 that attackers had
installed remote access software on systems in the agency and abroad, stolen
passwords and targeted information on China and North Korea. In October
2006, the Department of Commerce took hundreds of computers
(http://www.securityfocus.com/brief/324) offline following a series of
attacks aimed at federal employees' computer accounts by online thieves that
appear to be based in China.

"I believe the government, across all levels, is too complacent when it
comes to protecting their digital assets and this needs to change,²
commission co-chair Rep. Langevin, who also heads the Homeland Security
Subcommittee on Emerging Threats, Cyber Security and Science and Technology,
said in a statement.

The commission aims to be nonpartisan and brings together 32 security
experts, apart from the four people heading the panel. Among the experts are
Idaho National Laboratories' infrastructure protection strategist Michael
Assante, Oracle's chief technology officer Mary Ann Davidson, Princeton
University professor of computer science Edward Felten, IBM Internet
Security System's CEO Tom Noonan, and Verizon's executive director for
national security policy Marcus Sachs.

As of yet, there is not firm agenda for the commission, said Sachs.

"There are no assumptions," he said. "Lets just get the cybersecurity
experts together and see what comes out as an agenda."

Whether online attacks could constitute terrorism is still a matter of
contention today, but the ability of Internet attackers to affect financial
networks, power system, and infrastructure critical to the U.S. economy is
not. For example, since March, the Department of Homeland Security has been
showing power companies a video of a simulated attack
(http://www.securityfocus.com/brief/597) against a power plant using a real
vulnerability. In the video, a turbine dramatically overheats while smoke
pours out.

"While cybersecurity in the U.S. has improved in the last five years, the
threat model continues to change and the risks to U.S. security and economic
well-being are steadily increasing," Microsoft's Charney, one of the four
co-chairs of the commission, said in a statement sent to SecurityFocus.
"Therefore, much still needs to be done."

The commission plans to have a report outlining their recommendations to
give to the next president's transitional team in December 2008.

³The next President and their administration must be prepared to hit the
ground and protect America¹s cyber networks,² Rep. McCaul, the ranking
member of the Homeland Security Subcommittee on Emerging Threats, Cyber
Security and Science and Technology, said in a statement. ³As it stands now
this nation is severely challenged by current cyber attacks."

This article originally appeared in Security Focus
(http://www.securityfocus.com/news/11494).

Copyright © 2007, SecurityFocus (http://www.securityfocus.com/)