U.S. Not Ready for Virtual 9/11The United States is ill-prepared for a massive cybersecurity attack, the equivalent of a virtual 9/11 assault on federal IT systems and the nation's critical IT infrastructure, a panel of information security experts told a House committee on Tuesday. "No, we're clearly not prepared as we should be," said David Powner, director of IT management issues for the Government Accountability Office.
Testifying before the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, the witnesses also raised concerns about which agencies should oversee federal government cybersecurity policy and programs, noting that the National Security Agency, despite its technical know-how, lacks sufficient transparency to win agency and citizen support. Plus the witnesses pointed out that the Department of Homeland Security, named as the lead agency in securing federal IT, hasn't always accomplished its tasks satisfactorily.
The hearing came midway through a study ordered by President Obama to assess the current posture of the government's and nation's cybersecurity efforts and make recommendations on how the administration should secure federal systems and the nation's critical IT infrastructure.
"The nefariousness of cyber is the fact that we are experiencing the 9/11 in cyber; it just doesn't have tremendous visibility," testified NetWitness CEO Amit Yoran, former director of the National Cybersecurity Division with DHS. "For over a decade now, we've had significant incidents going on with foreign adversaries, and our national response has basically been to look the other way ... because there's no catastrophic visible outcome. We sort of lie in bed at night, not able to sleep, and not realizing how much damage is occurring, so we're not prepared."
Scott Charney, Microsoft vice president of trustworthy computing and co-chair on the Commission on Securing Cyberspace for the 44th Presidency, told the committee that the government must defend itself against attacks on the federal networks' confidentiality safeguarding its data; integrity averting the altering of critical systems people rely upon; and availability preventing the systems from going down.
"But the other part of that strategy is how fast can you reconstitute the capabilities if the capabilities fail," Charney said. "This is one of the reasons it's so important to have a comprehensive strategy because when you think about how you're going to reconstitute across multiple networks and multiple time zones, this actually is quite challenging. You have to think about the strategy for reconstitution, who's in charge of all these responsibilities, what's the implication to the private sector that owns 85 percent of the (IT) infrastructure. The availability problem is some ways different than the confidentiality and integrity problem. It's important to focus on all of them."
Deciding which agency should take the lead on cybersecurity, Yoran outlined the dilemma the government faces. "DHS has demonstrated inefficiency and leadership failure in its cyber efforts," he testified. "While pockets of progress have been made, administrative incompetence and political infighting have squandered meaningful progress and for years now our adversaries continue to aggressively press their advantage."
In testimony earlier this month, National Intelligence Director Dennis Blair told Congress that the NSA has the smarts and skills to secure cyberspace. But Yoran said that would be ill advised, citing the resignation letter of Rod Beckstrom as director of the DHS's National Cybersecurity Center, noting that the NSA's intelligence culture is markedly different from that of network operations or security.
The cyber focus of intelligence agencies monitoring adversaries, determining their methods and techniques, tracking their activities to a point of origin and determination of compromise scope, intent and objective is very important, Yoran said. Yet, they often conflict directly with the information assurance goals of system owners and operators, who are primarily concerned with system defense and protection, and in the event of compromise, a speedy restoration to a functional and assured state. "We must enable civil government to succeed at this mission," Yoran testified. "This being said, it is far past time we fix the DHS problems and move forward."
House Homeland Security Committee Chairman Bennie Thompson looking chagrin when the hearing concluded, remarked: "What we just heard is very troubling."
NIST: Measuring IT Security
Among the hot topics in government today is finding new metrics to measure IT security.
But a draft report just issued by the National Institute of Science and Technology suggests the task will be very difficult to accomplish.
Writing in the report, Directions in Security Metrics Research, NIST computer scientist Wayne Jansen says the security metrics area poses hard and multi-faceted problems for researchers.
"Quick resolution is not expected and the likelihood is that not all aspects of the problem are resolvable," Jansen writes. "Furthermore, only some of those aspects that are resolvable may be able to be done satisfactorily, meeting expectations of repeatability, reproducibility, relevance, timeliness and cost."
Jansen lists four factors that impede progress in security metrics: