, SecurityFocus 2000-04-20
Attacks are rising, but U.S. computer chiefs have a plan to make the net safe for e-government.
All you have to know is how to point and click a mouse and you can hack people.
"What we are doing now is developing a series of benchmarks that would allow us to provide to agencies examples of good security practices tied to a specific set of government services," said Department of Energy CIO John Gilligan. "We're going to draw a series of examples and use those examples to draw what we think are benchmark security and privacy practices, then share that with the various agencies."
Gilligan serves as co-chair of the Federal CIO Council's Security, Privacy and Critical Infrastructure Committee. Together with the CIOs of the Commerce and State Departments, he outlined the Committee's plans at an industry briefing at FOSE 2000 -- an information technology exposition for government agencies.
Federal agencies have been criticized for lagging behind private industry in serving the public online -- most recently in a March report from the centrist Democratic think tank The Progressive Policy Institute. Gilligan blamed hackers for the delays, offering that government CIOs "felt constrained by questions and concerns about security."
The CIOs' response: a virtual Bible of government computer security practices that will address web based information services, online government procurement and financial transactions with the public over the Internet. It's due to be released to all federal agencies this summer, with a broader plan promised in the fall.
A 1996 law established the position of Chief Information Officer in all major Federal departments and agencies to spur the development of cost-efficient technological initiatives within the government. The CIO Council was created by Executive Order to act as the principal interagency forum for information technology matters.
The Council's Security, Privacy and Critical Infrastructure Committee is responsible for developing security practices for government networks, a task that's taken on increased urgency in the wake of high-profile Denial of Service attacks, web hacks on government sites, and growing concern in Congress and at the White House over "cyberterrorism."
Fernando Burbano, the State Department's CIO, blamed the availability of automated hacking tools like L0phtcrack and BO2K for the government's computer security woes. "What really makes it worse is in the early 1980s it used to take a lot of sophistication to hack," said Burbano. "All you have to know now is how to point and click a mouse and you can hack people."
Indicating a screenshot of nmapin his Power Point slide show, Burbano explained, "Nmap is freeware that probes networks by sending data packets to ports... All you have to know is how to point and click this thing."
Despite easy-to-use scripts, Gilligan said that DOE systems are holding their own. While the number of attacks are increasing at a "non-linear" rate, "fortunately, the number of successful attacks is actually steady and decreasing as a percentage," said Gilligan. Burbano noted the same trend with State Department computers.
Last month, the Senate Governmental Affairs Committee approved the Government Information Security Act, after hearing testimony from federal computer security experts and hacker Kevin Mitnick. The legislation would require agencies to submit to an annual independent audit of their information security programs and practices.