Thursday, September 18, 2008

U.S. Cybersecurity Is Weak, GAO Says

U.S. Cybersecurity Is Weak, GAO Says

The federal government cybersecurity team with primary responsibility for protecting the computer networks of government and private enterprise isn't up to the job, according to a draft Government Accountability Office report obtained by BusinessWeek.

The U.S. Computer Emergency Readiness Team, known as US-CERT, mans the front line in any cyber-attack. The group monitors computer networks for hacker threats, investigates suspicious activity online, and is supposed to issue timely alerts to information technology security professionals from the White House to corporations and electric utilities. But the GAO draft report describes US-CERT as bedeviled by frequent management turnover, bureaucratic challenges that prevent timely sounding of alarms, a lack of access to networks across wide swaths of critical terrain, and an inability to fill large numbers of positions with qualified workers.

Five years after the Homeland Security Dept. took charge of the team as a critical safeguard against threats to national security, US-CERT "still does not exhibit aspects of the attributes essential to having a truly national capability," according to the draft report.

Vulnerable to Foreign Adversaries

Privately, many within government and industry have grown increasingly concerned about the lack of such a capability. Without being able to effectively monitor a wide variety of computer networks across the country and quickly issue warnings of possible attacks, the government is, in effect, flying blind, or at least partially blind, despite the best of intentions. As BusinessWeek reported in April (BusinessWeek, 4/10/08), the concern these days is not merely that a pimply teenager in Bratislava will hack a corporate network or that Russian hackers will shut down a retailer's Web site with a so-called "denial-of-service attack." Rather, it's that there could be a sophisticated intrusion of sensitive computer networks by a potential foreign adversary such as China.

An independent bipartisan commission of corporate executives, network security specialists, and military and intelligence officials plans to go public with its concerns about the issue. "The central problems," James Lewis, a technology analyst at the Center for Strategic & International Studies, plans to tell Congress in testimony prepared for hearings on Sept. 16, "are the lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility."

A series of troubling intrusions in recent years, grouped under code names such as Byzantine Foothold and Titan Rain, were not initially recognized as being connected. They caused anxiety at major agencies of the federal government and among big defense contractors such as Boeing (BA) and Lockheed Martin (LMT).

Goals Not Being Met

The importance of recognizing patterns of attack across a broad swath of cyberspace is now accepted at the highest levels of the military, intelligence, political, financial, and industrial communities. Worries range from attacks on electric power plants to the potential for using computer networks to undermine a financial institution's viability. Thefts of funds by sophisticated hackers are now routine occurrences around the world.

But recognizing the larger pattern requires the people, technology, and access to sift through huge amounts of suspicious activity, and in its draft report the GAO has evidently concluded the envisioned goal is not being met.

No comments: