[ISN] Report Faults Cyber-Security

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/articles/A7192-2004Jul22.html

By Jonathan Krim
Washington Post Staff Writer
July 23, 2004

The Department of Homeland Security's efforts to battle
computer-network and Internet attacks by hackers and other
cyber-criminals suffer from a lack of coordination, poor communication
and a failure to set priorities, according to an internal report
released yesterday.

The report, by the department's inspector general, said the
shortcomings of the National Cyber Security Division leave the country
vulnerable to more than mere inconvenience to businesses and
consumers.

The division "must address these issues to reduce the risk that the
critical infrastructure may fail due to cyber attacks," the report
said. "The resulting widespread disruption of essential services after
a cyber attack could delay the notification of emergency services,
damage our economy and put public safety at risk."

Among the report's recommendations is that the division develop a
process for overseeing efforts of federal, state and local governments
to better protect their systems.

The report cited progress in some areas since the division was formed
in June 2003 as part of the federal reorganization that created the
DHS. It praised the creation of a cyber-security coordination center
called US-CERT, and an alert system that includes a Web site and
automated notification to tech-security professionals of security
threats making their way through cyberspace.

But the report comes at a time of heightened frustration among
technology company executives and members of Congress that
cyber-security is not getting enough attention and is poorly
understood by some senior department officials. The issue is not just
the possibility of a broad cyber-terrorist attack, those people say,
but the daily attacks that are costing U.S. businesses and computer
users hundreds of millions of dollars a year and countless hours of
lost productivity.

"If we are at war, as Bush and [Homeland Security Secretary Tom] Ridge
say we are . . . based on this report, we are clearly not on a war
footing on cyber-security, or in DHS," said F. William Conner, chief
executive of Entrust Inc., a Texas cyber-security company. "I read
about the progress, but they've got the wrong measuring stick.  
Progress has to be measured against external risk."

Especially irksome to some executives and security experts is that the
department has not adopted some of the practices they argue that
government agencies, companies and organizations should employ to
reduce the risk of cyber-attacks.

"The department as a whole isn't leading by example," said Alan
Paller, head of the SANS Institute in Bethesda, a computer security
research group. Paller, who praises some of the cyber division's work,
said the department should take the lead in using its buying power to
demand that software vendors make their products more secure. Paller
said the agency is not doing so.

Paul Kurtz, head of the recently formed Computer Security Industry
Alliance, a corporate trade group, said the HS was reluctant to
participate in a cyber-security exercise sponsored by Dartmouth
University, and did so only after pressure from the White House.

Kurtz added that follow-through has been poor on the government's
highly touted public-private partnership with industry to address
security issues. That effort was part of a White House directive on
cyberspace that mandated tighter controls for federal agencies but
called for a voluntary plan for the private sector. After a meeting
late last year, the partnership yielded five major reports and dozens
of recommendations, but little in the way of further action.

"Not enough is happening" even to fulfill the Bush directive, said
Rep. Zoe Lofgren (D-Calif)., who represents Silicon Valley.

To try to increase attention on cyber-security, several industry
groups are supporting a bill co-sponsored by Lofgren and Rep. William
M. "Mac" Thornberry (R-Tex.) that would elevate the director of the
cyber division, currently Amit Yoran, to assistant secretary with more
direct access to top DHS officials.

But Robert P. Liscouski, assistant secretary for information analysis
and infrastructure protection, who oversees the Cyber Security
Division, said the notion of separating attention on cyber-threats
from overall infrastructure protection would be bad policy.

"Cyber . . . is a very key priority for us," said Liscouski, a former
police officer and Coca-Cola Co. security executive. But elevating it
to special status "is a step back," he said, arguing that physical and
cyber-security are closely connected.

Thornberry said that philosophy is "kind of a dumbing down of our
cyber-security efforts. Cyber has some unique features."

Liscouski said he also has to focus on where the greatest threat lies
and that overall he thinks the division is making progress.

"The fact that I'm not on the bully pulpit is more a reflection of
where our threat is," he said, referring to tech industry's desire
that the Homeland Security Department take a lead role in pushing
companies to make cyber-security a top priority. "The dominant threat
has been a physical threat."

He acknowledged the department's initial reluctance to participate in
the Dartmouth exercise because the division was still organizing
itself and might not have been able to "engage in a meaningful way."  
But he said it was highly valuable in the end.

Industry executives say that if, as the administration has said, it
wants to rely on their expertise to help formulate cyber-security
policy, it should heed their advice now.

Harris N. Miller, head of the Information Technology Association of
America, said his group "continues to be concerned that DHS does not
have adequate resources devoted to cyber-security and that the
cyber-security head does not have adequate visibility within the
bureaucracy. Improvements are coming, but slowly. The question is
whether the nation can afford to wait."