Network News

X My Profile
View More Activity

Proposal Would Shore Up Govt. Cyber Defenses

While cyber attacks have evolved dramatically since the beginning of this decade, the regulations governing how federal agencies defend against digital intruders haven't been updated since 2002. Legislation expected to be introduced Tuesday in the Senate would seek to correct that imbalance.

The "U.S. Information and Communications Enhancement Act of 2009," which would update the Federal Information Security Management Act, or FISMA, calls for the creation of hacker squads to test the defenses of federal agency networks. In addition, agencies would be required to show that they can effectively detect and respond to the latest cyber attacks on their information systems.

Critics of the current law say it merely requires agencies to show they have the proper cyber security policies in place, but not necessarily demonstrate that those policies are helping to block or mitigate real-world attacks.

"Only about five federal agencies are testing to see whether they are actually implementing these requirements," said Alan Paller, director of research for the SANS Institute, a security training group based in Bethesda, Md. "Agencies need to be measured on how well they block known attacks, and that's the opposite of what they're measured against now, which is how secure they are on paper."

Paller said the changes are needed because criminal and nation-state hackers are improving their attack techniques far faster than the U.S. government is improving its defenses, and that the threat is increasing at an accelerating rate.

"Hackers and nation states have more deeply penetrated civilian government agencies and the critical national infrastructure computer networks than the public and most members of Congress have been told," Paller said.

The legislation also envisions the creation of a council of chief information security officers, which would call on CISOs from each federal agency to share information about threats they're facing and the best ways to combat them.

In addition, the bill, to be introduced by Sen. Tom Carper (D-Del.), would establish a presidentially appointed, Senate-confirmed position as "director of the national office for cyberspace," to be housed within the Executive Office of the President.

The new legislation follows a sweeping cyber security proposal introduced earlier this month by Senate Commerce Committee leaders, which calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway.

Greg Nojeim, senior counsel at the Center for Democracy & Technology, said it's wasn't clear from reviewing a draft of the Carper bill how much responsibility the proposed cyberspace director would have, and how that position would fit with the duties assigned to the White House's newly created and filled slots for chief information officer (CIO) and chief technology officer.

"The bill lays out four areas where that office would work, and only one of them is security," Nojeim said. "One of those other areas is to enhance economic prosperity. That's a pretty broad charge."

Some clarity on that point may come tomorrow. Carper chairs the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, which is expected to hear testimony Tuesday from Vivek Kundra, whom President Obama has tapped as his CIO.

A draft copy of the Carper bill is available here (PDF).

By Brian Krebs  |  April 27, 2009; 9:44 PM ET
Categories:  U.S. Government  | Tags: U.S. ICE, federal cio cto ciso, sen. tom carper  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Scammers, Spammers Embrace Swine Flu News
Next: Adobe Warns of Potential Reader Flaw


Hathaway Bolsters Internet Security Alliance

Despite numerous lukewarm reviews of the 2009 RSA Security Conference by attendees and reporters, the Internet Security Alliance’s President Larry Clinton recognized that the keynote address to the collective conference body by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, offers affirmation of the mission and principles on which the Internet Security Alliance (ISAlliance) was founded.

Posted by: anthonymfreed | April 28, 2009 10:23 AM | Report abuse

Gee the folks in charge up there on hill seem to forget that they we're warned about cyber attacks and the possiblities of cyber war way back after 9-11 attacks. They even had a fellow named Dick Clarke in that very position in the white house called the " Chairman of the White House Critical Infrastructure Protection Board.

Clarke and other insiders WARNED about a n fighting on a new battlefield of cyberspace, and they evaluated just how vulnerable the Internet may be to both virtual and physical attack.

The issue of cyber war first began to command urgent White House attention after a distinguished group of scientists wrote an open letter to President Bush in February 2002.The letter stated:

"The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster," wrote the authors of the letter, who included J. M. McConnell, a former head of the National Security Agency, Stephen J. Lukasik of the Defense Advanced Research Projects Agency, and Sami Saydjari of the Cyber Defense Agency.

"Ultimately, it turned into about fifty-four scientists and leaders -- former national leaders, intelligence community people as well -- sending this letter that makes the case that says, 'We have a problem here,'"

White House cyber security adviser Howard Schmidt announced his resignation, noting that much of his responsibilities have been transferred to the new Homeland Security Department and warning that "cyber security cannot now be reduced to a 'second tier' issue. It is not sufficient to just respond to attacks, but rather proactive measures must also be implemented to reduce vulnerabilities and prevent future attacks."

But Clarke -- who as head of counterterrorism for the Clinton and Bush administrations was an early voice warning about Al Qaeda in the middle 1990s -- says cyber attacks are imminent.

"When we have the experts telling us we have a big risk," says Clarke, "wouldn't it be nice, for once, to get ahead of the power curve, solve the problem, so there never is the big disaster?"

And what did they do....ignore Clarke's advice and bsically shove him out, and now all of a sudden it's a threat.... when you have the professionals in the industry saying there is a problem...shopuldn't we be listening instead of ignoring them...after all isn't that what they we're paid to do?

Posted by: Davidm4955 | April 28, 2009 11:03 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company