Lawmakers voice concerns over cybersecurity plan
Too little too late?
Members of the House of Representatives sought details on Thursday of a $30bn plan to secure federal government systems and upgrade network defenses to ward off attacks from foreign nations and online criminals.
Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of interconnections between federal government networks and the internet and put more advanced network security in place to monitor data traffic for signs of malicious attacks.
While the five to seven year project could dramatically improve the network defenses of government agencies, lawmakers questioned whether the initiative will be too little, too late, and whether the resulting network monitoring could undermine privacy.
"It's hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure," Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday. "I believe cybersecurity is a serious problem - maybe the most complicated national security issue in terms of threat and jurisdiction. This problem will be with us for decades to come."
The US government gave short shrift to cybersecurity issues at the beginning of the decade. While the Bush Administration released its National Strategy to Secure Cyberspace in 2003, the final document significantly softened the government's stance on securing critical infrastructure, which is primarily maintained by private companies. The Administration also collected most of the cybersecurity capabilities into the Department of Homeland Security and then failed to fund the efforts.
While Congress established the position of Assistant Secretary for Cybersecurity within the DHS in 2005, the Bush Administration failed to fill the leadership role for more than a year, finally appointing Greg Garcia, a former information-technology lobbyist, to the post.
In the last two years, however, the Bush Administration has focused more intently on securing government networks. The US computer emergency readiness team (US-CERT) has deployed a network-traffic analysis system, EINSTEIN, to monitor 15 agencies for possible computer intrusions.
The National Institute of Standards and Technology has created the National Vulnerability Database and worked with other agencies to create important standards for configuration management and vulnerability detection.
The Office of Management and Budget, along with NIST, is spearheading an effort to get all desktop computer systems within federal agencies to use the Federal Desktop Core Configuration - a standard, secure configuration for Windows XP and Windows Vista.
The latest effort by the Bush Administration is the so-called "Cyber Initiative" - a plan to minimize the number of trusted internet connections, or TICs, and improve EINSTEIN's monitoring on those connection to prevent attacks in real time. The Bush Administration has budgeted $30bn over the next five to seven years for the programme, according to statements by Committee members. The 2009 budget has requested $294m for US-CERT to hire more analysts and fund the additional deployment of the system.
During Thursday's hearing, officials from the Office of Management and Budget and the Department of Homeland Security answered the Committee's questions on the non-classified components of the initiative.
As part of the Cyber Initiative, a major effort is under way to reduce the number of interconnections between federal agencies and the public Internet. Currently, more than 4,000 trusted internet connections (TICs) link the federal government to the internet, according to Robert Jamison, Under Secretary for the DHS's National Protection and Programs Directorate. Under the Cyber Initiative, that will be reduced to 50.
The DHS and the Office of Management and Budget (OMB) share responsibility for consolidating the network connections, said Karen Evans, the administrator for OMB's Electronic Government and Information Technology division. The initiative applies to all connections, no matter the agency, she said.
"Any external connection to an entity causes a risk," Evans said. "All agencies have to report to the OMB all external connections, and that means all of them."
Agencies already have submitted plans to reduce the number of access points to Evans' office. The initial deadline for complying with the OMB's mandate is June 2008.
The second part of the Cyber Initiative calls for improvement to the EINSTEIN intrusion detection system and the deployment of the system to monitor all 50 internet access points. Currently, EINSTEIN conducts flow analysis - tracking the source, destination, port and size of packets on the networks of 15 federal agencies.
"We only monitor a very small percentage of federal network traffic," Jamison told the committee members. "We want, through this initiative, to increase that to 100 per cent of all federal network traffic."
The information is analyzed on a daily basis, and so cannot detect threats in real time, DHS's Jamison said. The system would be enhanced to do more real-time analysis, he said.
"We are currently not looking at any content. We are proposing that we are going to do that. The threats are real. Our adversaries are really adept at hiding their attacks in normal everyday traffic. The only way to really protect your networks is to have intrusion detection capabilities."
Attacks on federal agencies have become a focus of the Committee on Homeland Security. A year ago, the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology heard testimony from representatives of the Departments of State and Commerce regarding attacks on those agencies' systems the previous year.
The Department of State acknowledged in June 2006 that attackers had installed remote access software on systems in the agency and abroad, stolen passwords and targeted information on China and North Korea.
In October 2006, the Department of Commerce took hundreds of computers offline following a series of attacks aimed at federal employees' computer accounts by online thieves that appear to be based in China.
Germany, the United Kingdom and the US have all accused Chinese-funded hackers of breaching their government networks.
A few committee members questioned whether the network monitoring system could cause privacy problems, if the government increased its capabilities.
"My constituents are asking about this," said Rep. Jane Harman (D-CA), a member of the Committee on Homeland Security. "'Government sets up spy network', that is how they are going to perceive this hearing."
Yet, the Bush Administration officials assured the committee members that the privacy impact of the evolved system is currently being investigated.
"Privacy and civil rights have been a top priority of this effort," the DHS's Jamison said. "EINSTEIN has a privacy impact assessment that is public. We are working on a new one."
The original assessment, completed in September 2004, found that the EINSTEIN system did not need to have Privacy Act System of Records "because the program is not intended to collect information that will be retrieved by name or personal identifier".
The committee also took issue with the DHS Secretary Michael Chertoff's decision to appoint Scott Charbo, the former CIO for the department, to the position of Deputy Under Secretary in charge of implementing the program. Charbo had told the committee previously that he had not been briefed on incidents involving infiltration of government systems by foreign attackers. His reply - "You don't know what you don't know." - has become a symbol of the Bush Administration's lack of focus on cybersecurity issues.
"Your decision to promote Mr Charbo to Deputy Under Secretary of National Programs and Plans effectively places him in charge of the cyber initiative at the Department," Rep Thompson stated in a February letter to DHS Secretary Michael Chertoff. "Given his previous failings as chief information officer, I find it unfathomable that you would invest him with this authority."
In a response to the letter, Secretary Chertoff defended Charbo, highlighting the changes that have happened under his watch.
If you have tips or insights on this topic, please contact SecurityFocus.
This article originally appeared in Security Focus.
Copyright © 2008, SecurityFocus