Monday, October 10, 2005

U.S. cybersecurity due for FEMA-like calamity?

An article by Declan McCullagh and Anne Broache on CNET summarizes what many thoughtful observers have been saying for some time: Our critical infrastructure is just as vulnerable to cyber-attack as skyscrapers were to hijackers before 9/11. Many privately wonder why we have not already been attacked.
In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster.

Is the cybersecurity division next?

Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago.

Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies.

"When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no." ...

More so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month."

Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials...

"In the previous incarnation, DHS and the Homeland Security Council didn't really know what to do with cyber--it's been a deer-in-the-headlights experience for them," Lewis said. "It's not clear who's even in charge. When you look at all the different committees who assert they have a role in cybersecurity, it's about a dozen. Whenever you have 12 committees in charge, that means no one's in charge." ...

Even before Sept. 11, however, the federal government's cybersecurity efforts were being described as slipshod. In a blistering 108-page report released in early 2001, government auditors said the FBI's National Infrastructure Protection Center had become a bureaucratic backwater that was surprisingly ineffective in pursuing malicious hackers or devising a plan to shield the Internet from attacks...

A May 2005 report by the Government Accountability Office warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the U.S. intelligence community and others." Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any," the GAO said.

Other analyses have said the agency is plagued by incompatible computer systems, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies...

But the right tools and funding have to be in place, too, said Ed Lazowska, a computer science professor at the University of Washington. He co-chaired the president's Information Technology Advisory Committee, which published a report in February that was critical of federal cybersecurity efforts.

"DHS has an appropriately large focus on weapons of mass destruction but an inappropriately small focus on critical infrastructure protection, and particularly on cybersecurity," Lazowska said in an e-mail interview.

The department is currently spending roughly $17 million of its $1.3 billion science-and-technology budget on cybersecurity, he said. His committee report calls for a $90 million increase in National Science Foundation funding for cybersecurity research and development.

Until then, Lazowska said, "the nation is applying Band-Aids, rather than developing the inherently more secure information technology that our nation requires."

Labels: , , ,


Post a Comment