[Infowarrior] - Federal IT pros say U.S. at high risk for cyberattack

Richard Forno rforno at infowarrior.org
Thu Apr 8 17:27:58 UTC 2010 

Federal IT pros say U.S. at high risk for cyberattack
by Lance Whitney


http://news.cnet.com/8301-1009_3-20002009-83.html?part=rss&subj=news&tag=2547-1_3-0-20
Almost three-quarters of the government IT administrators polled in a  
new survey believe the U.S. is likely to face a cyberattack from a  
foreign country in the next year.

Key IT decision makers who work in national defense and security were  
questioned in a new Clarus Research Group survey commissioned by  
Lumension and released Tuesday. Among those polled for the "Federal  
Cyber Security Outlook for 2010 Survey," 74 percent expect a  
cyberattack from foreign shores in the next year.


  (Credit: Lumension)
What types of threats and security risks do federal IT professionals  
fear the most? Among the respondents, 64 percent said they're worried  
about the growth and sophistication of cyberattacks, while 49 percent  
expressed concern over negligent or purposely malicious employees or  
insiders creating trouble.

These risks are also heightened by a lack of sufficient resources and  
coordination: 42 percent said they don't have the budget or staff to  
properly address security risks, 25 percent noted a lack of  
integration between security and overall IT operations, and 22 percent  
said there's no coordination between security and their IT operations.

The holes in IT security within the government have already left the  
door open for attacks. Over the past year, 59 percent of those polled  
said their agency or department was hit by viruses or malware, 53  
percent said that internal notebooks, desktops, and other devices have  
been stolen, and 50 percent reported the loss of sensitive information  
due to a negligent employee.

The White House, under both President Bush and President Obama, has  
struggled to try to clean up the nation's weaknesses in cybersecurity.  
In 2008, the Department of Homeland Security established the National  
Cyber Security Initiative as an attempt to coordinate national  
security with the private sector and within the government itself.  
This past December, the White House appointed a new cybersecurity chief.

Despite these and other efforts by the government, more than half of  
the IT pros questioned by Clarus Research expect only minor changes as  
a result. Of those polled, 41 percent said they've spent less than 10  
percent of their time in the past year working on the National Cyber  
Security Initiative.

Overall, only 6 percent of those surveyed rated the government's  
ability to stop or deal with cyberattacks on critical U.S. operations  
as "excellent," while 42 percent rated it as "only fair" or "poor."  
Most did express more confidence in their level of IT security today  
versus a year ago, but mainly due to improvements in technology,  
better collaboration between IT security and operations, and internal  
audit requirements.


  (Credit: Lumension)
"Unfortunately, when it comes to our infrastructure, we are already  
under attack and are faced with the reality of a growing and advanced  
persistent threat from foreign entities that are targeting our  
critical U.S. infrastructure," Lumension CEO Pat Clawson said in a  
statement. "The traditional government responses we've seen so far,  
such as naming a security coordinator, announcing a cyber security  
initiative, and focusing on compliance initiatives will not alone  
successfully address this problem."

What does the future hold? Those polled expect that the next few years  
will see growing threats to U.S critical infrastructure from foreign  
countries and terrorist groups. In response, Clawson, who has a  
background in security, offered a few suggestions in a recent blog  
posting and laid out some specific steps:


We must do three things if we are to truly empower and implement a  
robust national cybersecurity plan. One--we need to have an empowered  
cyber security czar, with budget and policy authority, reporting  
directly to the president.
Next--given that 90 percent of our critical infrastructure is owned or  
managed by private entities, we need a collaborative government and  
private sector partnership to better understand the risks at hand and  
to better define IT security standards, practices, and contingency  
plans in the event of a major attack.

And finally--we need to shift from an absolute focus on being  
compliant with ad-hoc audits for verification, to one of being secure  
and continuously monitoring our IT environment to ensure that the  
proper controls are always in effect.

More information about the Infowarrior mailing list