by Wilson P. Dizard III
WASHINGTON — Federal agencies are taking a new look at information security, the government's 2003 budget proposals reveal. A comprehensive new approach to defending the nation's information technology assets ranges from new security technologies to protect military communications, to assessments of system vulnerabilities for homeland defense.
Funding is emerging partly from agencies as diverse as the Pentagon, the Interior Department, and the Federal Emergency Management Agency, where agency leaders are reviewing and strengthening new and existing cybersecurity initiatives.
Particular attention is on $722 million worth of computer security projects to be launched in the fiscal 2003 budget from:
- the FBI's National Infrastructure Protection Center, aimed at foiling electronic attacks on federal and private sector information technology assets;
- a campaign to promote widespread use of the Advanced Encryption Standard;
- a project to provide priority to authorized users of cellular and personal commun cations system networks during crises — especially 'first responders' such as police and firefighters;
- a study of the GovNet proposal to create a secure network linking federal agencies and isolated from the Internet via appropriate firewall and intrusion detection technology;
- the Cyberspace Warning Intelligence Network, which would coordinate public and private response to electronic attacks; and
- a project called Cyber Corps that would provide college scholarships to computer security students in return for their commitments to enter federal service.
Additional billions in federal computer security funding will flow from the $48 billion in new defense spending requested for the fiscal 2003 budget cycle.
Private sector vulnerabilitiesA hallmark of the new environment of large-scale domestic attacks is the government's focus on the vulnerabilities of the private sector to terrorist attacks. Members of the Critical Infrastructure Protection Board, a policy panel with participation by White House and Pentagon officials, is conducting a classified study called Project Matrix to identify the interdependencies between the major infrastructure elements of the private economy and the federal government."The leadership the government needs to play in this area is real," said John Tritak, director of the associated Critical Infrastructure Assurance Office, recently to a gathering of computer security executives near Washington.
Tritak, who cites the vulnerabilities that links between the private sector and the federal sector create for the federal government, including security holes in financial systems and vulnerabilities in electric power, railroad, fuel, and other networks. He cautions that areas of vulnerability are so large that it is impossible to secure all of them.
"There is an underlying sense that the market is not going to respond well to this challenge," Tritak says, pointing out, however, that the government has its own computer security problems. "It's almost a cliché now to say that government computer security stinks," he says.
"The key is to learn what the crown jewels are — the core processes — and secure them," Tritak says.
Vulnerability assessmentsThe vulnerability assessments conducted so far have revealed several conspicuous flaws in the security regimes of federal agencies, which are receiving urgent attention from federal officials and the contractor community.At least five security problems are the most serious, says Jim Flyzik, vice chairman of the federal Chief Information Officers Council and chief information officer of the U.S. Treasury Department. These glaring security problems are:
- lack of senior level attention to computer security issues;
- lack of certification and accreditation of federal systems;
- failure to install software patches;
- lack of intrusion — and incident — detection systems; and
- lack of supervision of contractors who move from agency to agency.
Flyzik adds that the cooperation among federal agencies in homeland security leaves much to be desired. "If there's an area where we need to be self-critical, it's that we have not done a good job in sharing information among ourselves, including the intelligence community and the federal, state, and local law enforcement entities," he says. "We need a major push to improve that dramatically."
At the operational level, meanwhile, systems security professionals are dealing with a new kind of security attack called "blended threat."
The Nimda worm that surfaced late last year was an early example of a blended threat, say security professionals at Internet security firm Symantec Corp. in Cupertino, Calif. Like the CodeRed, Sadmind, and Lion worms, it spreads rapidly because it propagates with multiple vectors. Often, a blended threat damages only one system and exploits different security weaknesses, according to a Symantec analysis of current system security threats.
Typically, viruses require some human intervention to spread, according to Symantec. Blended threats, however, can spread automatically and search for missing patches and other vulnerabilities. In the 24 hours after it started spreading, the Nimda worm infected more than 2.2 million servers and PCs, according to Symantec; the losses from the incident exceeded $1 billion.
Responding to blended threats requires a defense in depth, according to Symantec, that secures various levels of operation: gateway, server, and client.
A source for more information on blended threats is the free newsletter of the FBI's National Infrastructure Protection Center at http://www.nipc.gov, which is published every two weeks.
Virus threats"A total of 197 distinct viruses are currently considered 'in the wild' by anti-virus experts, with another 455 viruses suspected," the NIPC report says. "'In the wild' viruses have been reported to anti-virus vendors by their clients and have infected user machines. The additional suspected number is derived from reports by a single source." In the case of many viruses reported in the FBI newsletter, "No workaround or patch [was] available at time of publishing."Because the vulnerabilities of the civilian agencies, the Pentagon, and the private sector involve so many thousands of systems spread across the globe, many thousands of computer security professionals are involved in confronting them. Some help is coming from perhaps unlikely directions, such as the U.S. Commerce Department's National Institute of Standards and Technology (NIST).
A NIST presentation at a recent computer security conference in Washington described how agency leaders plan to triple their output of computer security publications this year.
The NIST publications, with such lyrical names as Computer Security Considerations in Federal Information Technology Procurements, Guide to Information Technology Security Services, Security Product Selection Guide, Applying Security Patches, and Windows 2000 Security Configuration Guide, are available at http://csrc.nist.gov. In all, NIST has almost 20 computer security technical manuals available or in production on a stepped-up schedule to address the nation's needs.
"The here and now is kicking us," says Joan Hash, group manager of NIST's Computer Security Resource Center (CSRC). "We don't call these guides best practices, we call them effective practices or principles of security. Whatever it is, it is something that is known to be good, effective, and useful."
Tim Grance, systems security specialist at the CSRC, added, "One real challenge to operating a major enterprise is deciding which systems to patch-it has to be done in an orderly fashion. In one case — and I won't mention the name of the company in Redmond, Washington — a company's patch affected [the] Netscape [browser]."
Military data securityMeanwhile, U.S. military leaders are busily securing their own computer systems. In the U.S. Navy's Pacific Fleet, sailors are implementing electronic business security in various ways, including the public key encryption (PKI) architecture requirement that the U.S. Department of Defense (DOD) adopted in May 1999. According to that policy, about 2 million U.S. service members and DOD employees must have a PKI certificate by October 2002.PKI is a group of enabling technologies that activate the security features of existing networks and systems, says Dennis Lamm, PKI program manager for the Pacific Fleet and an employee of Getronics Corp. in Billerica, Mass. Implementing PKI across the Pacific Fleet involves the participation of 63,000 users afloat, 60,000 users in the continental U.S., and 17,000 users aboard ships, Lamm told the security conference.
"This will cause a revolutionary change in the Pacific Fleet," Lamm says. "We are trying to make this work — it has to be sailor-proof."
The final result of the PKI project, "will be that it will build trust and build force protection."
