Nation's Cyber Plan Outdated, Lawmakers Told
The nation's plan and policies for protecting its critical online infrastructures is severely outdated and flawed, experts told lawmakers Wednesday at a House subcommittee hearing.
"Demanding report cards, legislating under the influence of adrenaline, imagining that cyber-security is an end rather than merely a means -- all these and more inevitably prolong a world in which we are procedurally correct but factually stupid," said Daniel Geer, a principal at Geer Risk Services and a biostatistician, in written testimony.
The meeting followed a hearing last week where lawmakers reviewed the grades given to federal government agencies and departments for efforts to secure their information technology networks.
Rep. James Langevin (D-R.I.), who chairs the House Homeland Security subcommittee, in his opening statement said he was troubled with administration efforts on cyber security and questioned its prudence of funding cuts of the Homeland Security Department's science and technology directorate.
Although the department's science and technology unit was slated to receive $22.7 million for fiscal 2007, it is only funded the division at $13 million, the Rhode Island Democrat noted.
Jim Lewis, a security expert with the Center for Strategic and International Studies, told the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee that the nation's current national cyber strategy is outdated.
The 2003 plan "shifted too much of the burden for security to the private sector and did not resolve key issues regarding responsibility within the government," he said, adding that a new, comprehensive strategy would need to address issues such as streamlining how many interagency groups and committees work on the same cyber issues.
"The U.S. does not need a new White House cyber czar, but it does need to do more to direct and coordinate efforts by the various agencies," he said. Lewis lauded the recent creation of a cyber-security policy coordinating committee at the National Security Council as an important first step.
Rep. Bennie Thompson, the Mississippi Democrat who chairs the full Homeland Security Committee, said he was concerned that department Secretary Michael Chertoff said in last week's hearing that coordinating better cyber-security practices across the government was a top priority when it took him so long to appoint an assistant secretary of cyber-security and the department's chief information officer recently got a "D" for its internal cyber-security efforts.
Sami Saydjari, president of the nonprofit Professionals for Cyber Defense, urged lawmakers in written testimony to consider cyber-space as a new territory that must be defended as a primary controller of the nation's real-world assets.
"The U.S. is vulnerable to a strategically crippling cyber-attack from nation-state-class adversaries," said Saydjari, who also worked at the National Security Agency and the Defense Advanced Research Projects Agency.
He suggested that Congress offer $500 million to start a "Cyber Manhattan Project" that would be run by the country's top experts to help mitigate the rise of these foes. He envisioned the fund eventually would grow to multiple billions of dollars.
"Indications are that national economic devastation is quite possible, and when we're in the middle of the disaster isn't the time to start thinking about how to respond," he said, adding that preparing for cyber war will take more than three years and require infrastructure for critical computer systems, experienced defenders and a national program.
Both Saydjari and Lewis addressed the threat of espionage, with Lewis calling cyber espionage the greatest current threat to the United States.
Douglas Maughan with DHS's Science and Technology Directorate, characterized the Internet as the central nervous system of the nation's governments, citizens and industries.
"When it is attacked, the effects can ripple far and wide," he said.
Maughan noted that the Internet was developed to provide "essential minimum communications" in the event of a nuclear attack and was not designed with security in mind. He noted that in addition to the Internet, many technologies in widespread use today -- such as cell phones, wireless networks and personal digital assistants -- are vulnerable to malicious attacks.
"Attacks on these technologies have forced us into a defensive posture, and the financial costs are significant," he said. "Attackers can reach our business and government systems through the maze of networks connected by the Internet."
washingtonpost.com's Sharon Mcloone helped report this blog post.
The comments to this entry are closed.