[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Industry experts question $6 billion Bush cybersecurity plan


By Jill R. Aitoro  
January 29, 2008  

A system that focuses on network protection will do little to fend off 
intruders, industry sources argue in response to reports that President 
Bush will allocate $6 billion in his 2009 budget to a cybersecurity 
project meant to shield communication networks from terrorists and 

The Wall Street Journal reported [1] on Monday that the administration 
plans to reduce access points from the Internet to government networks 
and better monitor intrusion attempts through the use of network sensors 
that detect suspicious patterns. Once implemented in government, the 
program would be adapted to private networks. Former officials told The 
Wall Street Journal that the $6 billion would be the initial part of a 
potential total cost of $30 billion over seven years.

"Five years ago we needed this type of investment," said Howard Schmidt, 
president and CEO of R&H Security Consulting, former vice chairman of 
the president's Critical Infrastructure Protection Board and special 
adviser to the White House on cyberspace security. "Is it enough? Only 
time will tell, but it seems to be a good amount to deal with some of 
the issues we've identified for the past five years."

Between 2003 and 2006, nearly 63,000 cyber incidents were reported to 
the Homeland Security Department's U.S. Computer Emergency Readiness 
Team, established in 2003 to coordinate defense against and responses to 
cyberattacks. Of that total, nearly 4,000 were policy violations, more 
than 4,600 malware findings and a nearly 42,000 were phishing attempts. 
"No matter what form the attacks take, they continue to come," DHS 
cybersecurity and communications assistant secretary Greg Garcia said in 
October 2007.

Federal officials remain mum on details of the alleged cybersecurity 
system, which one DHS spokesperson called speculation until the 
president rolls out the budget.

Some argue that a focus on intrusion detection alone is not enough.

"Securing a network is not the same as securing the data," Schmidt said. 
"When you look at securing government systems, there needs to be a lot 
of restructuring of the architecture -- legacy hardware, software and 
applications. None of those were designed to operate in the high threat 
environment we operate in today. All of that needs to be ripped out and 

Chris Wysopal, chief technology officer at Burlington, Mass.-based 
application security vendor Veracode, compares a network-centric 
security strategy with posting police on every corner in a dangerous 
neighborhood, but failing to fix shoddy locks on the houses.

"Intrusion protection and detection machines are only one piece of the 
puzzle," Wysopal said, pointing to the source of data -- the operating 
systems and applications themselves -- as equally if not more 
vulnerable. "When I install software of unknown pedigree, I'm installing 
a lot of risk. That mentally has to change. I need to know who wrote it, 
how it was written, and what standards or tests it passed to show it has 
the quality I need. We wouldn't plug in electrical equipment if it 
wasn't UL listed because we couldn't ensure our business, but software 
often slips right in. The bar doesn't have to be super high, but there 
needs to be a bar."

A number of recent incidents magnified the need to better secure public 
and private networks. On Jan. 16, a CIA official confirmed attacks [2] 
on computers that operate power companies worldwide, causing at least 
one widespread electricity outage. And in March 2007, researchers from 
the Idaho National Laboratories simulated a cyberattack on a power 
plant's control system that caused a generator to self-destruct. The 
test prompted a hearing [3] held by the House Homeland Security 
Subcommittee on Emerging Threats, Cybersecurity, and Science and 
Technology to examine vulnerabilities in the computer networks that run 
water, power and chemical plants.

In 2006, DHS ran the first national cyber exercise to determine how the 
federal government and corporations running the nation's infrastructure 
would respond to a cyberattack. Security experts criticized [4] the 
exercise, saying it failed to determine basic procedures such as whether 
the federal government or the private sector was in charge of issuing 

[1] http://online.wsj.com/article/SB120147963641320851.html
[2] http://www.govexec.com/dailyfed/0108/011808j1.htm
[3] http://govexec.com/story_page.cfm?articleid=38319
[4] http://www.csoonline.com/read/110106/brf_cyberstorm.html

Subscribe to InfoSec News