http://www.gcn.com/print/26_21/44843-1.html
By William Jackson
GCN Staff
08/13/07 issue
Agencies can lead, but the private sector needs to tackle the problem,
experts say
Information technology security and information assurance are becoming
too critical, too big and too complex a problem for the government to
handle by itself, according to two security experts. But they disagree
on how well government and industry are responding to the need for
greater cooperation to improve cybersecurity.
Tony Sager, chief of the National Security Agencys Vulnerability
Analysis and Operations Group, said in an opening address at the recent
Black Hat security conference in Las Vegas that government needs
industrys help and that NSA is reaching out to industry.
Weve got to figure out how to solve this problem with solutions that
scale across the entire community, Sager said. That means his agency
must bring its information to the table and find common ground with the
private and academic sectors. Were from the government and were here to
help doesnt work with this crowd.
According to Richard Clarke, former U.S. counterterrorism czar, who
shared the opening keynote address slot with Sager, the governments
culture must change a lot more before the countrys critical
infrastructure can be secured.
Id like to know why it was that we lost momentum in solving the problem
in more than a piecemeal manner, Clarke said in an interview with
Government Computer News. There is no leadership. There is no national
plan implemented.
Industry, commerce, health care and national defense increasingly rely
on an Internet that remains brittle and open to attack and disruption,
Clarke said. The day-to-day environment is replete with crime and
espionage. We are accepting a high level of cost we neednt accept. But
weve done nothing to solve the problem.
Clarke has been a high-profile critic of the nations cyberdefense
efforts since his retirement from government in 2003. Now the chairman
of Good Harbor Consulting, he served under four presidents, from Ronald
Reagan to George W. Bush. His last government position was chief
counterterrorism adviser under Presidents Clinton and Bush, and he
helped develop the National Strategy to Secure Cyber Space, released in
February 2003.
Despite concerns about a lack of leadership, change is occurring, Sager
said. Although much of NSAs work remains secret, Sagers organization in
the agency is a reflection of the need to work with industry to develop
open and standardized security and research practices.
When Sager began working at NSA in 1977, it was a dramatically different
security problem, he said. IT security was a government monopoly. The
government owned the problem, and could control the technology. Those
days are over.
NSA has struggled with the change in culture. But you have no choice but
to be concerned about the security of commercial products the government
does not control, Sager said. We changed the way we behaved to gain the
trust and cooperation of the security research community.
But according to Clarke, government has lost an opportunity to make real
progress in IT security since the release of the National Strategy to
Secure Cyber Space. In this case, we had high-level awareness that there
was a problem, Clarke said. President Bush signed off on the strategy
and there was an understanding among government and industry leaders who
collaborated on the strategy of the need for the two sectors to
cooperate. They understood it was not mainly a government problem, he
said. There was a necessary role for government, but it was a
private-sector problem, mainly.
However, little progress has been made and some ground has been lost.
The government has failed to provide a role model for security, as it
was supposed to under the strategy; federal funding for security
research and development is down; and the situation probably will get
worse before it gets better, he said. We need to ask ourselves, why?
No leader
The problem stems from a lack of congressional as well as presidential
leadership, coupled with a lack of executive initiative in the private
sector, Clarke said.
The government didnt want to regulate, he said, and did not feel
competent to regulate in technical areas. Without government leadership,
corporations wont move unless forced by some catastrophe. What motivates
people at the corporate level is disaster.
Meanwhile, there has been progress from companies that see a
relationship between the security of their products and their business
success. Corporate giants such as Microsoft, Cisco and Oracle often are
cited as examples of companies that have improved their own software
development processes. Government has had a hand in encouraging those
improvements by creating standards and putting business pressure on the
companies.
NSAs set of security guidelines for Windows NT in 1999 was just one of
14 sets of such guidelines for that operating system. But the complexity
of Windows 2000 made the job too difficult for NSA to handle alone.
The agency built a cross-agency, public/private partnership with the
Defense Information Systems Agency, the National Institute of Standards
and Technology (NIST), the SANS Institute and the Center for Internet
Security to develop guidelines.
This led to a standard default configuration for the OS required by the
Air Force, which eventually was adopted by the Defense Department and
civilian agencies. NSA now is partnering with other agencies in
developing a number of open programs such as the Common Vulnerabilities
and Exposures scheme and the Security Content Automation Program housed
at NIST.
But Clarke said effective leadership could have accomplished much more
by now. Service providers could be filtering malware before it hits the
local-area network and end user, he said. There could be better and more
encryption, a secure Domain Name System and a parallel network structure
to provide priority service during emergencies.
However, there are bright spots. Companies are beginning to reduce the
scope of vulnerabilities in their software and IPv6 is slowly moving
forward, especially in Asia. But Clarke is not optimistic about the
governments ability to make use of the new version of IP, which is
supposed to be enabled on agencies backbone networks by next June.
I am very skeptical that the government is going to do the things it
says it will do, because it hasnt over the last five years, he said.
What can be done to improve the situation? The next administration might
appoint someone to lead the effort, he said. Certainly not me, because
Im not going back in.
Until that leadership comes, Clarke is afraid that nothing short of a
catastrophe will focus adequate attention on these issues.
In the absence of the financial pain caused by a cyberdisaster, the only
thing thats going to get anybody to do anything is regulation, Clarke
said. And thats too bad, but when you have a market failure, you have to
have regulation.
Copyright 1996-2007 1105 Media, Inc. All Rights Reserved.
Received on Mon Aug 20 00:40:40 2007