[Infowarrior] - DHS to Bolster Protection of Civilian Computer Networks

Richard Forno rforno at infowarrior.org
Tue May 12 19:06:22 UTC 2009 

DHS to Bolster Protection of Civilian Computer Networks

By Ellen Nakashima and Spencer S. Hsu
Washington Post Staff Writers
Tuesday, May 12, 2009 2:13 PM

http://www.washingtonpost.com/wp-dyn/content/article/2009/05/12/AR2009051201743_pf.html

The Department of Homeland Security will step up operations to secure  
civilian computer networks against cyber attacks in coming years,  
getting increases in funding and personnel, and coordinating  
responsibilities now scattered across government agencies,  
administration officials said this week.

The comments come as a comprehensive review of the nation's cyber  
defenses before President Obama has triggered a broader debate over  
whether the government is sufficiently mobilized and has the resources  
to tackle complex cyber-security threats posed by sophisticated  
criminal operations and states such as Russia and China. A debate over  
the White House's role in leading the effort also is expected to be  
resolved soon, with an announcement expected as early as the end of  
this week, though more likely next week, sources said.

The review, led by Obama aide Melissa Hathaway, was aimed at crafting  
a broad strategy to defend against debilitating cyber attacks --  
against government sites and the increasingly global computer networks  
of major telecommunications, financial, energy and other companies  
that control critical infrastructure. But not all issues have been  
resolved, sources said.

Officials said that under the plan, the National Security Agency would  
continue to assist DHS in protecting civilian networks, despite  
concern over the impact on Americans' privacy and the legal authority  
for the military and intelligence agency to conduct domestic  
surveillance activities. Legal reviews of that issue are ongoing,  
officials said.

The extent to which the government should direct or guide actions by  
owners of private commercial systems remains a matter of sharp  
disagreement with industry and civil liberties groups and probably  
will be deferred, said sources who have been briefed on the discussions.

Senior administration officials told reporters last month that the  
report would establish that the White House would oversee and direct  
interagency cyber efforts, but would leave operations to the relevant  
agencies. They said the report would outline a strategic vision but  
leave many major policy questions to officials to be named later.

The Pentagon and intelligence community have responsibility for  
protecting military and classified networks, and are considering  
creating a new cyber command to combine offensive and defensive cyber  
efforts. Meanwhile, the Homeland Security Department was given a  
greater role in defending civilian government systems last year under  
the Bush administration's Comprehensive National Cyber Security  
Initiative, a largely classified, five-year, $17 billion effort.

In his proposed 2010 budget last week, President Obama requested a  
$177 million, or 16 percent, increase in spending for DHS's chief  
information officer and Infrastructure Protection and Information  
Security office, which include agencies that Bush identified as the  
cornerstone of civilian coordination and preparedness efforts.

The full-time staff of the latter is projected to triple between 2008  
and 2010, to 1,031 civilian workers.

Speaking to Washington Post editors and reporters Monday, Homeland  
Security Secretary Janet Napolitano said the department expected  
significant increases in cyber funding "not only this year but in  
years to come."

"We will become, in effect, the non-DoD locus for cyber security,"  
Napolitano said. "It makes sense to have a DoD focus and a non-DoD  
focus, and I think that's functionally where it's going."

Napolitano acknowledged complaints that DHS lacks adequate skills and  
personnel to achieve its mandate. However, she said the department  
will continue to receive "technical assistance" from the NSA. Sources  
said the department is expected to expand its cyber security  
operations centers, pulling in non-defense components from across the  
government, such as the Treasury Department.

"In reality a lot of that is the intersection of DHS and their .gov  
sites, and their relationship to the banks and regulated communities.  
They're all wrapped up together," Napolitano said.

Her remarks came after NSA Director Lt. Gen Keith B. Alexander told a  
House panel last week that the Pentagon is considering creating a new  
cyber command at Fort Meade, where the NSA is based, and after the  
White House report is released, the Pentagon will begin to "walk  
through" with industry what it can do to help them.

In an interview with The Washington Post after the hearing, he said he  
thought DHS is "going to need the technical support" from NSA.  
"Secretary Napolitano is superb at that," he said. "She knows how to  
leverage us."

Though the NSA is acknowledged to have the skills to detect cyber  
threats and exploit adversaries' vulnerabilities, the secrecy  
surrounding its activities and recent controversy over its role in the  
Bush administration's warrantless surveillance of Americans' e-mails  
and phone calls have raised concerns over its participation in the  
protection of non-military networks.

Among departments, the Pentagon and NSA also are wrestling with  
battles over turf and sensitive legal and operational questions about  
how and when to share classified information about computer threats  
with the private sector.

At the White House, the review has triggered jockeying among the  
National Economic Council and Office of Science and Technology Policy  
and the National Security and Homeland Security councils. The number  
of cyber-security incidents reported by federal agencies to the U.S.  
Computer Emergency Readiness Team within the National Cyber Security  
Division at DHS more than tripled between 2006 and 2008, the  
Government Accountability Office, Congress's audit arm, reported last  
week.

The GAO found weaknesses in security controls needed to detect or  
prevent cyber attacks at 23 of 24 major agencies.

More information about the Infowarrior mailing list