Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, February 29, 2008

Law makers voice concerns over cybersecurity plan

Members of the House of Representative sought details, on Thursday, of a $30 billion plan to secure federal government systems and upgrade network defenses to ward off attacks from foreign nations and online criminals.  Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of interconnections between federal government networks and the Internet and put more advanced network security in place to monitor data traffic for signs of malicious attacks.  While the 5- to 7-year project could dramatically improve the network defenses of government agencies, law makers questioned whether the initiative will be too little, too late, and whether the resulting network monitoring could undermine privacy.

“It’s hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure,” Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday.  “I believe cybersecurity is a serious problem—maybe the most complicated national security issue in terms of threat and jurisdiction… This problem will be with us for decades to come.”

The U.S. government gave short shrift to cybersecurity issues at the beginning of the decade.  While the Bush Administration released its National Strategy to Secure Cyberspace in 2003, the final document significantly softened the government’s stance on securing critical infrastructure, which is primarily maintained by private companies.  The Administration also collected most of the cybersecurity capabilities into the Department of Homeland Security and then failed to fund the efforts.  While Congress established the position of Assistant Secretary for Cybersecurity within the DHS in 2005, the Bush Administration failed to fill the leadership role for more than a year, finally appointing Greg Garcia, a former information-technology lobbyist, to the post.  In the last two years, however, the Bush Administration has focused more intently on securing government networks.

The U.S. computer emergency readiness team (US-CERT) has deployed a network-traffic analysis system, EINSTEIN, to monitor 15 agencies for possible computer intrusions.

The National Institute of Standards and Technology has created the National Vulnerability Database and worked with other agencies to create important standards for configuration management and vulnerability detection.

The latest effort by the Bush Administration is the so-called “Cyber Initiative”—a plan to minimize the number of trusted Internet connections, or TICs, and improve EINSTEIN’s monitoring on those connection to prevent attacks in real time.  The Bush Administration has budgeted $30 billion over the next five to seven years for the program, according to statements by Committee members.  The 2009 budget has requested $294 million for US-CERT to hire more analysts and fund the additional deployment of the system.

During Thursday’s hearing, officials from the Office of Management and Budget and the Department of Homeland Security answered the Committee’s questions on the non-classified components of the initiative.

As part of the Cyber Initiative, a major effort is under way to reduce the number of interconnections between federal agencies and the public Internet.  Currently, more than 4,000 trusted Internet connections (TICs) link the federal government to the Internet, according to Robert Jamison, Under Secretary for the DHS’s National Protection and Programs Directorate.  Under the Cyber Initiative, that will be reduced to 50.

The second part of the Cyber Initiative calls for improvement to the EINSTEIN intrusion detection system and the deployment of the system to monitor all 50 Internet access points.  The information is analyzed on a daily basis, and so cannot detect threats in real time, DHS’s Jamison said.  The original assessment, completed in September 2004, found that the EINSTEIN system did not need to have Privacy Act System of Records “because the program is not intended to collect information that will be retrieved by name or personal identifier.”

The committee also took issue with the DHS Secretary Michael Chertoff’s decision to appoint Scott Charbo, the former CIO for the department, to the position of Deputy Under Secretary in charge of implementing the program.

Posted on 02/29