Obama administration to inherit tough cybersecurity challenges

There has been a 'fundamental ignorance' by the Bush administration on modern threats, says one expert

As President Bush prepares to leave office, the task of upgrading the security of federal information systems to deal with new cyberthreats continues to be very much a work in progress.

Several key federal cybersecurity initiatives launched during the Bush administration — some in direct response to the Sept. 11, 2001, terrorist attacks — are still years away. A few other initiatives are closer to completion but still don't do enough to protect federal networks and systems against increasingly sophisticated attacks from cybercriminals and nation states.

Fixing the situation will require the next administration to focus not just on completing the initiatives that are already under way, say security industry representatives. It also means increasing attention to issues such as collaboration between the public and private sectors, as well as a greater willingness to use the government's buying power to force change among vendors and service providers.

Crucial, too, is the need for the Obama administration to stop tying federal cybersecurity responses so closely to the broader post-Sept. 11 war against terror, said John Pescatore, an analyst at Gartner Inc. "The terrorist attacks of 2001 sent the Bush administration in the wrong direction" on the cybersecurity front, Pescatore said. There's been too much of tendency to view cyberthreats in the same light as physical terrorism threats and to respond to them in the same manner. In the process, some of the more immediate threats to government data and networks have been somewhat overlooked, he said

Despite some of the challenges, progress has been made, says Karen Evans, who serves as federal CIO in her role as administrator of e-government and IT at the Office of Management and Budget (OMB). She said there are several initiatives that have been launched over the past few years that are already making, or will soon make, a difference.

Top on Evans' list is Homeland Security Presidential Directive-12 (HSPD-12) of August 2004, under which federal agencies are required to issue new smart card identity credentials to all employees and contractors.

Work in progress

Agencies were supposed to have completed issuing the so-called personal identity verification cards by the end of last month, but most are nowhere close to that goal and will require at least two more years to fully implement the mandate.

The initiative, a response to the Sept. 11 attacks, will result in much better identification and authentication of all individuals with access to federal systems and buildings, Evans said. It will also enable better security otherwise — such as providing a second form of authentication — for online services and teleworking, she said.

Other initiatives Evans noted include the recent upgrade of federal networks to the more secure IPv6 protocol and the ongoing Trusted Internet Connectivity (TIC) effort, under which all civilian agencies are working to reduce the number of external Internet connections in place.

The TIC initiative was launched in November last year as a way to reduce governmentwide exposure to Internet-born risks and will result in the government reducing the number of external links it has from 4,300 to 100 over the next two years.

Evans also pointed to the Federal Desktop Core Configuration (FDCC) project, which is aimed at reducing procurement costs and bolstering security of desktop environments by requiring agencies to implement standard security configurations on all of their Microsoft Windows systems.

Earlier this year, President Bush also put into motion the highly classified, multibillion-dollar Cyber Initiative, which is supposed to bolster the nation's ability to detect and respond to cyberthreats against critical infrastructure targets. Relatively few details have been publicly disclosed about the effort, and with the National Security Agency involved, the initiative has spooked many, including some in Congress.

Despite fears, the initiative is being seen as an important, if somewhat belated, recognition by the federal government on the need for concerted multiagency efforts to deal with cyberthreats on a national scale. Tom Kellerman, vice president of security awareness at Core Security Technologies, said it signals an "awakening" in Washington about the need for policy, procedures and presidential involvement in cybersecurity.

What remains to be done

But Kellerman, who is part of a commission that is developing cybersecurity recommendations for the Obama administration, said much work remains to be done. "The existing administration has only just begun to pay attention to cybersecurity" as a national security issue, Kellerman said. Over the past few years, there has been a "fundamental ignorance" about what is really needed to address today's threats, he said.

In the aftermath of the Sept. 11 attacks, almost all the responses were centered on physical security issues and on building business resiliency and disaster recoverability capabilities. Kellerman said that trend has exacerbated cybersecurity issues because there are now more targets to protect than previously. "When you create backup facilities, you are expanding the targets" that are available to cybercriminals, he said.

Many of the initiatives that agencies are implementing, such as FDCC, IPv6 and data encryption, are helping bolster security in bits and pieces, Pescatore said. But they were initiated as the result of "random edicts" from the OMB and are not tied to any broader national cybersecurity objective, Pescatore said. The fact that many of these projects are also unfunded has only added to the sense of randomness, he said.

Increasingly, new money for cybersecurity is going toward funding overarching surveillance and monitoring initiatives against terrorism, which, while needed, does little to secure individual agencies against cybercriminals looking to steal data or sabotage networks, Pescatore said. While most of the focus has been on preparing for cyberwarfare, a lot of the threats that agencies have actually had to deal with have come from attackers seeking financial gain from data theft or those indulging in espionage, Pescatore said. Addressing the basic technology and process vulnerabilities that enable such attacks is as important as the national Cyber Initiative is, he said.

"The issue is you can study meteorology or you can raise the levees. What we have done for eight years is talk about cyberwarfare instead of raising the levees," Pescatore said.

Rallying international support

Kellerman said a key to success will be the Obama administration's ability to rally international support in the fight against cybercrime. By some estimates, there are over 100 nation states around the world today with some sort of cyberwarfare capability, he said. Many of these governments are working with private sector companies to try and gain competitive advantage in the international marketplace via data theft and espionage, Kellerman said.

One of the biggest examples is a Chinese cyber-espionage group called Titan Rain, which is believed to be carrying out attacks against a large number of U.S. government, military and commercial interests, Kellerman said. Dealing with such threats will require coordination across borders, governments and law enforcement agencies, he said.

Purchasing power

Independent consultant Franklin Reeder, former chief of information policy at the OMB, said the government can do several things to build on what's already in place. The most important is for the government to use the procurement process to buy safer products, he said. As such a large purchaser of technology, the government can and should use its buying clout to build more security requirements when purchasing products from technology vendors, he said. The FDCC initiative has already shown that such an approach can be successful and that there is no reason why it should not be extended to other federal contracts, including those involving turnkey projects, he said.

More investments are needed in providing specialized security training for federal information security professionals, Reeder said. The Department of Defense's information assurance awareness training program already provides a model that other agencies can use to deliver targeted and platform-specific security training programs.

Fundamental changes are also needed in the way private companies and the government work with one another to protect critical infrastructure systems and respond to emergencies, he said. The policy coordination programs that have been implemented by the government so far are not really public-private partnerships, Reeder said. "They've just been convened by the government for the government," he said.

The incoming Obama administration needs to realize that securing the infrastructure is "no longer just about what the feds do," Reeder said. Rather, it is about working across sectors, and sharing threat and vulnerability information and policies for operational and emergency response, he said. "There are several things that I think this administration has done, but they need to be done more aggressively and more comprehensively," Reeder said.

Copyright © 2008 IDG Communications, Inc.

  
Shop Tech Products at Amazon