, SecurityFocus 2005-06-02
The probable passage of the Homeland Security budget will elevate the head of cybersecurity to assistant secretary, but an increase in clout will not solve the agency's most pressing problems.
A spending bill likely to be passed this month will give the Department of Homeland Security's chief cybersecurity officer more clout but will not solve major issues in how the agency handles its job of protecting the nation's critical infrastructure, security experts said this week.
The criticism comes as an appropriations bill passed by the U.S. House of Representatives is set to be considered by the Senate this month. A separate act that would establish the position of Assistant Secretary for Cybersecurity was added to the spending bill as an amendment. The position would replace the current head of the National Cyber Security Division (NCSD), which was created two years ago to head the agency's efforts to analyze and respond to cybersecurity threats.
However, in a report released last week, the U.S. General Accounting Office took the Department of Homeland Security to task, arguing that the federal agency has made progress toward, but not fulfilled, any of its 13 cybersecurity responsibilities. More clout for the chief cybersecurity officer within the DHS could help the situation but will not solve the problems, said David Powner, director of information technology management issues at the GAO and the lead author of the report.
"Creating an assistant secretary position will clearly be helpful, but it won't be a silver bullet," Powner said. "Just elevating that position does not solve some of the DHS's challenges."
The report criticized the Department of Homeland Security for the lack of measurable progress in important areas, including the generation of cybersecurity plans for specific sectors of industry, such as energy, transportation and food supply. And while the agency has created the U.S. Computer Emergency Readiness Team (US-CERT) to coordinate incident response, adequate plans for recovering from an attack are not in place, the report states.
The Department of Homeland Security took issue with the report, stating that it had made headway in tackling its duties. In a letter appended to report, the DHS agreed that the agency needs to do more to gain the cooperation of the various industries responsible for critical infrastructure, but took issue with the report's conclusion that the DHS had not prioritized its efforts nor established concrete milestones to get the job done.
"We agree with the GAO that the strengthening of cybersecurity is critical to protecting the nation's infrastructure," said DHS spokesman Kirk Whitworth. "While we agree with the report that there is still much work to be done, we have made substantial progress."
The debate is the latest over the DHS's progress in securing cyberspace and in securing its own systems. The agency has failed audits under the Federal Information Security Management Act (FISMA) for two successive years, due to the massive number of systems whose compliance has to be documented.
The agency's own Office of Inspector General has found fault with its cybersecurity initiatives. A group of independent auditors wardialed the agency and found they could connect to at least 20 modems for which the agency could not account. Moreover, up to 37 percent of the agency's passwords could be broken with a dictionary attack, according to the report.
"Due to these remote access exposures, there is an increased risk that unauthorized people could gain access to DHS networks and compromise the confidentiality, integrity, and availability of sensitive information systems and resources," that report stated.
Cybersecurity efforts at the Department of Homeland Security have also had to deal with short tenures of several top officials, including the former assistant secretary of infrastructure protection, Robert Liscouski, and the former director of the NCSD, Amit Yoran.
Yoran joined several computer-security industry consortiums in support of the latest bill which aims to elevate the director position that he once held to assistant secretary.
"There are several areas where greater clarity is needed and support must be given to centralize cyber security functions across government," he said in written testimony to members of the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity in April.
Called the DHS Cybersecurity Enhancement Act of 2005, the latest bill to give clout to federal cybersecurity efforts was added as an amendment to the Department of Homeland Security Authorization Act for Fiscal Year 2006, the annual budget legislation that funds the agency. Previously suggested legislation that would have returned the top cybersecurity role to the White House was scuttled last year.
The vote on the legislation, likely to happen this month, comes as officials in the government increasingly recognize that the nation's critical infrastructure relies on the Internet and computers systems. Moreover, the types of attackers that have such systems in their sites is increasing, FBI Director Robert Mueller said earlier this year.
"The increasing number of foreign governments and non-state actors exploiting U.S. computer networks is a major concern to the FBI and the intelligence community as a whole," he stated in written testimony to the U.S. Senate Select Committee on Intelligence in February.
Not only is the number of foreign attackers increasing, but the number of attacks with a financial motive is growing rapidly, Mueller added.
"The growing number of hackers motivated by money is a cause for concern," he said in the testimony. "If this pool of talent is utilized by terrorists, foreign governments or criminal organizations, the potential for a successful cyber attack on our critical infrastructures is greatly increased."
In its efforts to better the cybersecurity of the nation, the DHS has to lead by example and have a stick, not just a carrot, said Bruce Schneier, chief technology officer for network monitoring service Counterpane Internet Security and the author of several books on encryption and security.
"The best way to lead is by cleaning house," he said.
The first Assistant Secretary for Cybersecurity will also have to break with past efforts to reach a public-private consensus on how to secure the Internet and critical infrastructure, he added. The cybersecurity czar will need to make waves in the industry, not come to consensus, Schneier said.
"Security is not consensus," he said. "You cannot be secure and not piss someone off."