[ISN] US cybersecurity all at sea

InfoSec News isn at c4i.org
Fri Oct 14 00:11:40 EDT 2005 

http://www.theregister.co.uk/2005/10/13/us_cybersecurity_analysis/

By John Leyden
13th October 2005 

... without a paddle

US cybersecurity risks are being poorly managed by the Department of 
Homeland Security, according to a former US presidential information 
security advisor. Peter Tippett, who recently served a two-year term 
on the President's Information Technology Advisory Committee, said a 
lack of leadership on electronic security left the US at a greater 
risk of electronic attack.

Tippett, who is now chief technology officer with managed security 
firm CyberTrust, compared Homeland Security's posture in defending 
against electronic attacks to the lack of preparation by FEMA (Federal 
Emergency Management Agency) in managing relief efforts for Hurricane 
Katrina. "Something similar happened when Homeland Security got 
responsibility for both FEMA and computer security. When 
responsibility was transferred from the White House to Homeland 
Security good people left the top. There's confusion over reporting 
lines and no leadership," Tippett told El Reg.

US government's cybersecurity responsibilities - along with those of 
FEMA - were transferred from the White House to the Department of 
Homeland Security during a reshuffle of 22 federal agencies three 
years ago.

Tippett's criticisms are echoed by accusations that Homeland Security 
is illprepared for emergencies and beset by bureaucratic bungling by 
auditors and segments of the security industry.

However, Howard Schmidt, chief exec of R&H Security and a former 
senior White House cyber security advisor, defended the Homeland 
Security agency's record. "There's been a lot of criticisms but they 
don't take into account the good work that the Homeland Security 
agency is doing. It is doing all it can to improve government systems 
whithin the priorities it has. We are getting incrementally better 
systems. Improvements will take time."


Back to basics

Schmidt made the comments at the SecureLondon conference, organised by 
security training and certification body ISC(2), in London earlier 
this week. Both Schmidt and Tippett have radical ideas for improving 
cybersecurity in the IT industry. Schmidt wants to see software 
developers held personally accountable for the security of the code 
they write. This is a radical idea idea but who is to blame for a Win 
XP security bug, for example? It would take the brain of Sherlock 
Holmes to apportion personal blame for that on any one developer, we 
suspect.

Tippett advocates the wider adoption of basic security defences rather 
than government standards, which "don't translate into fewer hacker 
attacks". It would be better if PCs denied actions by default rather 
than permitting anything that was not known to be bad, he argued. 
Tippett is credited with creating one of the first commercial 
anti-virus products, which later became Symantec's Norton Anti- Virus. 
He is highly critical of the industry he helped create.

"The anti-virus industry is not interested in default deny because if 
they did that they wouldn't be able to sell updates," he said. 
"Information security problems are getting worse, even though people 
are spending more. Throwing money at the problem isn't helping. All 
the market wants to do is sell new gizmos," he added. ®

More information about the ISN mailing list