http://www.govexec.com/story_page.cfm?articleid=39393
By Jill R. Aitoro
Govexec.com
February 28, 2008
The top ranking official in the Homeland Security Department's national
protection division called the agency's efforts in cybersecurity
satisfactory, assigning a grade of 'C' during congressional testimony
Thursday. But members of Congress called the grade inadequate,
emphasizing the need for better collaboration with agency technology
leaders, real-time response to system attacks, and metrics that measure
the ability to protect networks from specific threats rather than system
compliance.
DHS officials didn't reveal too many specifics regarding the much
anticipated but highly classified initiative during a hearing before the
House Homeland Security Committee. Robert Jamison, undersecretary for
national protection and programs directorate at DHS, described plans to
enhance federal cyber-situational awareness, intrusion detection,
information sharing and response capabilities.
The primary means of accomplishing these goals will be the trusted
Internet connections initiative, which aims to reduce the number of
federal connections to networks outside the firewall, and Einstein, a
system that monitors agency networks using an automated process for
collecting, correlating, analyzing and sharing computer security
information with the U.S. Computer Emergency Readiness Team, or US-CERT.
So far, 15 agencies have deployed Einstein.
"The threat is real," Jamison said. "Our adversaries are adept at hiding
attacks in normal everyday traffic that comes across the network. The
only true way to protect networks is intrusion detection."
The total budget for the comprehensive initiative has not been
confirmed, but reports estimate related funds to be in the billions. DHS
requested $294 million in its fiscal year 2009 budget for cybersecurity,
most of which will go to continued deployment of Einstein. While DHS
will lead much of the initiative, individual agencies will be
responsible for aspects of cybersecurity efforts, and the Office of
Management and Budget will help enforce system compliance across the
federal government.
When asked how he would grade DHS in its response to cybersecurity
threats, Jamison gave the department "a solid 'C'," which members of
Congress called unsatisfactory.
"I would say 'C' is an [accurate] score, but absolutely unacceptable,
because they're supposed to lead by example," said Alan Paller, director
of research at the SANS Institute, a nonprofit cybersecurity research
organization in Bethesda, Md.
Among the problems that lawmakers noted is the tendency by agencies to
leave in the dark those charged with protecting networks. Threat
analysis conducted by DHS and other national security agencies is
largely classified, and therefore not disclosed to chief information
officers. Jamison said that efforts to improve situational awareness --
by consolidating the number of external Internet connections and
improving intrusion detection -- will increase the amount of information
available to agency CIOs.
Both Republicans and Democrats in Congress also stressed the need to
move away from a reactionary strategy. Einstein, for example, tracks IP
addresses, the size of data packets and where information is flowing
network to network, but is largely passive. Information needs to be
routinely downloaded and analyzed to detect patterns, malicious
addresses and any suspicious activities. Planned enhancements to
Einstein will allow real-time response to threats, Jamison said, by
finding harmful code and alerting system administrators when intruders
attempt access.
"I've been sitting here with my mouth open," said Rep. Jane Harman,
D-Calif. "While all of you are well-meaning, the fact that you don't
have threat information and are working on projects that will take years
to complete is shocking. If we're serious about these threats, we're not
being serious about response."
Karen Evans, OMB administrator of electronic government and information
technology, hinted at new metrics for gauging the ability of agency
networks to combat threats. Certification and accreditation of systems,
currently the primary means of measuring agency compliance with
cybersecurity efforts, allows agencies to do inventory of what they have
in place, while future metrics will test for vulnerabilities.
"When we first started this process ... agencies didn't know what they
didn't know," Evans said, loosely quoting a statement made by former
Homeland Security CIO, Scott Charbo, during a June 2007 congressional
hearing on the same topic. Charbo, who is now the DHS deputy
undersecretary of the National Protection and Programs Directorate, also
testified at Thursday's hearing.
"Certification and accreditation is a soup-to-nuts process," Evans said.
"[Now] we have to move to the next level where we're actually achieving
a result rather than doing a paper exercise."
New metrics need to measure how well agencies can withstand known
attacks, Paller said.
"The biggest mistake of the last 10 years has been that people kept
attacks secret; it caused the government to fall behind. Now that we
know better, let's measure systems not on the hypothetical, but on
what's real."
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments