[ISN] U.S. cybersecurity due for FEMA-like calamity?

InfoSec News isn at c4i.org
Tue Oct 11 00:02:58 EDT 2005


http://news.com.com/U.S.+cybersecurity+due+for+FEMA-like+calamity/2100-7348_3-5891219.html

By Declan McCullagh and Anne Broache 
Staff Writer, CNET News.com
October 10, 2005

In the wake of Hurricane Katrina, the Federal Emergency Management
Agency has been fending off charges of responding sluggishly to a
disaster.

Is the cybersecurity division next?

Like FEMA, the U.S. government's cybersecurity functions were
centralized under the Department of Homeland Security during the vast
reshuffling that cobbled together 22 federal agencies three years ago.

Auditors had warned months before Hurricane Katrina that FEMA's
internal procedures for handling people and equipment dispatched to
disasters were lacking. In an unsettling parallel, government auditors
have been saying that Homeland Security has failed to live up to its
cybersecurity responsibilities and may be "unprepared" for
emergencies.

"When you look at the events of Katrina, you kind of have to ask
yourself the question, 'Are we ready?'" said Paul Kurtz, president of
the Cyber Security Industry Alliance, a public policy and advocacy
group. "Are we ready for a large-scale cyberdisruption or attack? I
believe the answer is clearly no."

The department, not surprisingly, begs to differ. "Cybersecurity has
been and continues to be one of the department's top priorities," said
Homeland Security spokesman Kirk Whitworth.

But more so than FEMA, the department's cybersecurity functions have
been plagued by a series of damning reports, accusations of
bureaucratic bungling, and a rapid exodus of senior staff that's
worrying experts and industry groups. The department is charged with
developing a "comprehensive" plan for securing key Internet functions
and "providing crisis management in response to attacks"--but it's
been more visible through press releases such as one proclaiming
October to be "National Cyber Security Awareness Month."

Probably the plainest indication of potential trouble has been the
rapid turnover among cybersecurity officials. First there was Richard
Clarke, a veteran of the Clinton and first Bush administrations who
left his post with a lucrative book deal. Clarke was followed in quick
succession by Howard Schmidt, known for testifying in favor of the
Communications Decency Act, then Amit Yoran and Robert Liscouski.

The top position has been vacant since Liscouski quit in January. In
July, Homeland Security Secretary Michael Chertoff pledged to fill the
post but has not named a successor.

"I sure wouldn't take that job," said Avi Rubin, a professor
specializing in cybersecurity at Johns Hopkins University. "It only
has a downside."

If an Internet meltdown happened--perhaps a present-day rendition of
the 1988 worm created by Robert Morris, which forced administrators to
disconnect their computers from the network to try to stop the worm
from spreading--Homeland Security's cybersecurity official would wield
little power yet shoulder all the blame, Rubin said. "The person who
was cybersecurity czar would be out of a job and would be blamed, even
though it might have been someone else not following a policy."

Other top-level staff have been departing: The deputy director of
Homeland Security's National Cyber Security Division, a top official
at the Computer Emergency Response Team, the undersecretary for
infrastructure protection and the assistant secretary responsible for
information protection have all left in the past year.


A promotion in the works

Raising the profile of cybersecurity efforts inside Homeland Security
has garnered some support in the U.S. House of Representatives.

Earlier this year, Rep. Zoe Lofgren, a California Democrat, and Rep.  
Mac Thornberry, a Texas Republican, reintroduced legislation from the
previous congressional session that would create an assistant
secretary for cybersecurity.

The much talked-about position would report directly to the Homeland
Security secretary, on equal footing with posts that oversee the
nation's physical infrastructure. Under current department structure,
the top cybersecurity official is buried in a few levels of
bureaucracy beneath the Homeland Security chief.

"Creating an assistant secretary is far more than just an
organizational change," Thornberry said when introducing the bill. "It
is an essential move to assure that cybersecurity is not buried among
the many homeland security challenges we face."

The proposal was ultimately wrapped up in the broader Homeland
Security Authorization Act for 2006 and has been approved by the
House. But since May, it has been sitting in front of the Senate
Homeland Security committee, which has not indicated when further
action will occur.

Outside observers are holding out hope for Chertoff's departmental
reorganization announced in July. As part of the reshuffling, he hired
Stewart Baker, former general counsel to the National Security Agency
and a well-respected technology lawyer, to be assistant secretary for
policy. Baker is waiting for Senate confirmation.

"It's been a mess for over four years, and hopefully the new folks
will fix this," said Jim Lewis, director of the technology and public
policy program at the Center for Strategic and International Studies.

"In the previous incarnation, DHS and the Homeland Security Council
didn't really know what to do with cyber--it's been a
deer-in-the-headlights experience for them," Lewis said. "It's not
clear who's even in charge. When you look at all the different
committees who assert they have a role in cybersecurity, it's about a
dozen. Whenever you have 12 committees in charge, that means no one's
in charge."


The Sept. 11 switch

The most likely reason for the federal government's lack of focus on
cybersecurity is straightforward: the attacks of Sept. 11, 2001.

While Internet and computer security may not have been a top priority
before the attacks, the topic did draw a smattering of attention from
the White House. In February 2000, President Clinton convened a
meeting on cybersecurity with technology executives. He returned to
the topic in a speech to the Coast Guard Academy a few months later,
cautioning that "critical systems like power structures, nuclear
plants, air traffic control, computer networks, they're all connected
and run by computers."

Then Sept. 11 shifted the Bush administration's attention from
hypothetical threats of Internet saboteurs to military action,
al-Qaida and the invasion of Iraq.

"Cybersecurity clearly fell off the radar screen when they set up the
department, and the department is trying to find its way," said Kurtz,
president of the Cyber Security Industry Alliance, which counts as
members companies such as Symantec, McAfee, RSA Security, PGP and
Computer Associates.

Even before Sept. 11, however, the federal government's cybersecurity
efforts were being described as slipshod. In a blistering 108-page
report released in early 2001, government auditors said the FBI's
National Infrastructure Protection Center had become a bureaucratic
backwater that was surprisingly ineffective in pursuing malicious
hackers or devising a plan to shield the Internet from attacks.

When Congress created Homeland Security two years later, the FBI's
NIPC was unceremoniously mashed together with the Defense Department's
National Communications System, the Commerce Department's Critical
Infrastructure Assurance Office, an Energy Department analysis center
and the Federal Computer Incident Response Center.

The results have been mixed. A May 2005 report by the Government
Accountability Office warned that bot networks, criminal gangs,
foreign intelligence services, spammers, spyware authors and
terrorists were all "emerging" threats that "have been identified by
the U.S. intelligence community and others." Even though Homeland
Security has 13 responsibilities in this area, it "has not fully
addressed any," the GAO said.

Other analyses have said the agency is plagued by incompatible
computer systems, and another found that Homeland Security was
woefully behind in terms of sharing computer security information with
private companies.

The department has argued that it has not been idle. Last year, it
created the National Cyber Alert System, billed as a public-private,
nationally coordinated method of dispensing information about Internet
threats and vulnerabilities. Other plans include a staged cyberattack
exercise scheduled for November.

"Placing responsibility for cybersecurity within the Department of
Homeland Security was a necessary move because it recognized how
integrated cybersecurity is with other physical security, and to
remove it from the department would hurt security in both," said
Homeland Security's Whitworth.


"An inappropriately small focus"

But the right tools and funding have to be in place, too, said Ed
Lazowska, a computer science professor at the University of
Washington. He co-chaired the president's Information Technology
Advisory Committee, which published a report in February that was
critical of federal cybersecurity efforts.

"DHS has an appropriately large focus on weapons of mass destruction
but an inappropriately small focus on critical infrastructure
protection, and particularly on cybersecurity," Lazowska said in an
e-mail interview.

The department is currently spending roughly $17 million of its $1.3
billion science-and-technology budget on cybersecurity, he said. His
committee report calls for a $90 million increase in National Science
Foundation funding for cybersecurity research and development.

Until then, Lazowska said, "the nation is applying Band-Aids, rather
than developing the inherently more secure information technology that
our nation requires."





More information about the ISN mailing list