[Infowarrior] - Lawmakers voice concerns over cybersecurity plan

Sat Mar 1 04:04:42 UTC 2008

Law makers voice concerns over cybersecurity plan
Robert Lemos, SecurityFocus 2008-02-29

http://www.securityfocus.com/news/11507?ref=rss

Members of the House of Representative sought details, on Thursday, of a $30
billion plan to secure federal government systems and upgrade network
defenses to ward off attacks from foreign nations and online criminals.

Known as the Cyber Initiative, the Bush Administration project would
dramatically reduce the number of interconnections between federal
government networks and the Internet and put more advanced network security
in place to monitor data traffic for signs of malicious attacks. While the
5- to 7-year project could dramatically improve the network defenses of
government agencies, law makers questioned whether the initiative will be
too little, too late, and whether the resulting network monitoring could
undermine privacy.

"It's hard to believe that this Administration now believes it has the
answers to secure our federal networks and critical infrastructure,"
Representative Bennie Thompson (D-MS), chairman of the House Committee on
Homeland Security, said in prepared remarks at the opening of the hearing on
Thursday. "I believe cybersecurity is a serious problem -- maybe the most
complicated national security issue in terms of threat and jurisdiction.
This problem will be with us for decades to come."

The U.S. government gave short shrift to cybersecurity issues at the
beginning of the decade. While the Bush Administration released its National
Strategy to Secure Cyberspace in 2003, the final document significantly
softened the government's stance on securing critical infrastructure, which
is primarily maintained by private companies. The Administration also
collected most of the cybersecurity capabilities into the Department of
Homeland Security and then failed to fund the efforts. While Congress
established the position of Assistant Secretary for Cybersecurity within the
DHS in 2005, the Bush Administration failed to fill the leadership role for
more than a year, finally appointing Greg Garcia, a former
information-technology lobbyist, to the post.

In the last two years, however, the Bush Administration has focused more
intently on securing government networks. The U.S. computer emergency
readiness team (US-CERT) has deployed a network-traffic analysis system,
EINSTEIN, to monitor 15 agencies for possible computer intrusions. The
National Institute of Standards and Technology has created the National
Vulnerability Database and worked with other agencies to create important
standards for configuration management and vulnerability detection. The
Office of Management and Budget, along with NIST, is spearheading an effort
to get all desktop computer systems within federal agencies to use the
Federal Desktop Core Configuration> -- a standard, secure configuration for
Windows XP and Windows Vista.

The latest effort by the Bush Administration is the so-called "Cyber
Initiative" -- a plan to minimize the number of trusted Internet
connections, or TICs, and improve EINSTEIN's monitoring on those connection
to prevent attacks in real time. The Bush Administration has budgeted $30
billion over the next five to seven years for the program, according to
statements by Committee members. The 2009 budget has requested $294 million
for US-CERT to hire more analysts and fund the additional deployment of the
system.

During Thursday's hearing, officials from the Office of Management and
Budget and the Department of Homeland Security answered the Committee's
questions on the non-classified components of the initiative.

As part of the Cyber Initiative, a major effort is under way to reduce the
number of interconnections between federal agencies and the public Internet.
Currently, more than 4,000 trusted Internet connections (TICs) link the
federal government to the Internet, according to Robert Jamison, Under
Secretary for the DHS's National Protection and Programs Directorate. Under
the Cyber Initiative, that will be reduced to 50.

The DHS and the Office of Management and Budget (OMB) share responsibility
for consolidating the network connections, said Karen Evans, the
administrator for OMB's Electronic Government and Information Technology
division. The initiative applies to all connections, no matter the agency,
she said.

"Any external connection to an entity causes a risk," Evans said. "All
agencies have to report to the OMB all external connections, and that means
all of them."

Agencies already have submitted plans to reduce the number of access points
to Evans' office. The initial deadline for complying with the OMB's mandate
is June 2008.

The second part of the Cyber Initiative calls for improvement to the
EINSTEIN intrusion detection system and the deployment of the system to
monitor all 50 Internet access points. Currently, EINSTEIN conducts flow
analysis -- tracking the source, destination, port and size of packets on
the networks of 15 federal agencies.

"We only monitor a very small percentage of federal network traffic,"
Jamison told the committee members. "We want, through this initiative, to
increase that to 100 percent of all federal network traffic."

The information is analyzed on a daily basis, and so cannot detect threats
in real time, DHS's Jamison said. The system would be enhanced to do more
real-time analysis, he said.

"We are currently not looking at any content," Jamison said. "We are
proposing that we are going to do that. The threats are real. Our
adversaries are really adept at hiding their attacks in normal everyday
traffic. The only way to really protect your networks is to have intrusion
detection capabilities."

Attacks on federal agencies have become a focus of the Committee on Homeland
Security. A year ago, the House Subcommittee on Emerging Threats,
Cybersecurity, and Science and Technology heard testimony from
representatives of the Departments of State and Commerce regarding attacks
on those agencies' systems the previous year. The Department of State
acknowledged in June 2006 that attackers had installed remote access
software on systems in the agency and abroad, stolen passwords and targeted
information on China and North Korea. In October 2006, the Department of
Commerce took hundreds of computers offline following a series of attacks
aimed at federal employees' computer accounts by online thieves that appear
to be based in China.

Germany, the United Kingdom and the U.S. have all accused Chinese funded
hackers of breaching their government networks.

A few committee members questioned whether the network monitoring system
could cause privacy problems, if the government increased its capabilities.
?

"My constituents are asking about this," said Rep. Jane Harman (D-CA), a
member of the Committee on Homeland Security. "'Government sets up spy
network,' that is how they are going to perceive this hearing."

Yet, the Bush Administration officials assured the committee members that
the privacy impact of the evolved system is currently being investigated.

"Privacy and civil rights have been a top priority of this effort," the
DHS's Jamison said. "EINSTEIN has a privacy impact assessment that is
public. We are working on a new one."

The original assessment, completed in September 2004, found that the
EINSTEIN system did not need to have Privacy Act System of Records "because
the program is not intended to collect information that will be retrieved by
name or personal identifier."

The committee also took issue with the DHS Secretary Michael Chertoff's
decision to appoint Scott Charbo, the former CIO for the department, to the
position of Deputy Under Secretary in charge of implementing the program.
Charbo had told the committee previously that he had not been briefed on
incidents involving infiltration of government systems by foreign attackers.
His reply -- "You don't know what you don't know." -- has become a symbol of
the Bush Administration's lack of focus on cybersecurity issues.

"Your decision to promote Mr. Charbo to Deputy Under Secretary of National
Programs and Plans effectively places him in charge of the cyber initiative
at the Department," Rep. Thompson stated in a February letter to DHS
Secretary Michael Chertoff. "Given his previous failings as Chief
Information Officer, I find it unfathomable that you would invest him with
this authority."

In a response to the letter, Secretary Chertoff defended Charbo,
highlighting the changes that have happened under his watch.