- Email: [email protected]
The US Government— bigger and better information security?
From the editor-in-chief Editor-in-Chief Dr Eugene Schultz, CISSP University of California-Berkeley Lab 1 Cyclotron Rd MS 50A-3111 Berkeley, CA 94720 USA Email: [email protected]
Editor Brian McKenna Elsevier Science PO Box 150, Kidlington, Oxford OX5 1AS UK Tel: +44-(0)1865-843656 Fax: +44-(0)1865-843244 Email: [email protected] http://www.compseconline.com
Academic Editor Prof. Eugene Spafford Department of Computer Science 1398 Computer Science Building Purdue University West Lafayette IN 47907 — 1398 USA Email: [email protected]
The US Government— bigger and better information security? For years the US Government has shown little progress in its cybersecurity efforts. It has produced a plethora of documents—the “Rainbow Series,” Federal Information Processing Standards (FIPS) and Office of Management and Budget (OMB) directives, agency-specific orders and handbooks, and so forth, as well as special positions, committees, councils, and commissions changed with investigating and fixing security problems. The General Accounting Office (GAO), which audits federal systems, often produces scathing findings. But the actual level of security within US Government systems and networks has not changed much over time. Attackers have historically been able to freely prey on US Government systems; this is still very much true. The tragic events of September 11 caused drastic changes within the US government New counterterrorism legislation now exists, huge amounts of funding have been allocated to fight terrorism, and the Department of Homeland Security has been created in response to terrorist threats. Some information security professionals predicted that demand for cybersecurity would increase dramatically; others said that there would be little impact. The latter appear to have the upper hand so far, but recent developments may change things. The US recently distributed a draft version of its National Strategy to Secure Cyberspace (see www.whitehouse.gov/pcipb). This document presents a draft plan for protecting the US computing infrastructure that focuses on home users and small business, large enterprises, critical sectors, and national and global priorities. Although this plan is much too extensive to discuss in detail here, I’d like to share some of my thoughts about it.
578
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
On the positive side, all things considered, this document represents a very competent effort. What is especially impressive is the sheer number of different approaches and methods advocated —the plan is for the most part quite comprehensive. Achieving security among home computer users is, for example, among the many areas this plan covers. Prescriptions for the private sector includes not only the usual “best practices” measures, but also measures such as having boards of directors providing tough scrutiny of a corporation’s cybersecurity practices. Measures prescribed for the federal sector include not only “the same old same old” measures, but also annual security reviews for the entire federal sector and tracking of progress. The document also gives security awareness and training, one of the most timeproven and cost effective methods, its just due. Furthermore, I liked the attention paid to the importance of computer crime legislation, especially from a global perspective. The current void of meaningful computer crime
From the editor-in-chief
Senior Editors John M. Carroll Ronald Paans Charles Cresson Wood Jon David Richard Ford
IS Audit Editor Stephen Hinde
Legal Editor August Bequai
legislation is indeed one of the greatest limitations in the fight against computer crime. Additionally, the authors have advocated use of strong authentication such as through biometrics, smart cards, and token devices. Finally, I like its emphasis on the need to secure wireless networking, an issue that certainly will only grow in importance over time. On the down side, this document contains several ignorant statements such as: “Approximately 70 percent of all cyber threats are believed to be perpetrated by trusted insiders.” Apparently the authors are not cognizant of recent statistics, such as those found on www.gocsi.com. Additionally, the National Strategy to Secure Cyberspace purports to address infrastructure protection concerns, but devotes too much attention to the home user problem. Home computers are now much more of a target than they were several years ago, but home computer security issues pale in comparison to true national infrastructure threats. Much home usage is, after all, recreational in nature, and the attention paid to this issue diverts attention from other, considerably more critical national infrastructure-related issues. Furthermore, I am disappointed with the simplicity of the best practices for industry described in this draft. These practices do not seem like best practices, but rather more like baseline (minimal) practices. And I am perplexed by the fact that although there is sufficient emphasis upon intrusion response, the area of intrusion detection is for all practical purposes omitted.
Yet without effective intrusion detection, incident response languishes. Another concern is the call for a continuing cycle of risk assessment. I question relying on risk assessment as we know it, given the level of uncertainty it still leaves us with and the high cost of performing this activity. The authors should at least have considered adhering to “due care” practices as a more tangible and cost-effective alternative. My “pet peeve,” however, is that the document repeatedly calls for cooperation between the public sector and law enforcement, but never addresses the two greatest obstacles, lack of trust of and competence within the law enforcement community. Will the private sector cooperate better with law enforcement merely because the National Strategy to Secure Cyberspace calls for cooperation? The plan discusses the possibility of security service provider and other types of certification, but never mentions independent certification of law enforcement as well as other government personnel, something what would almost certainly at least boost competency levels. I am nearly as dismayed that the draft plan does not address one of the biggest impedances to better cybersecurity within the government—in-fighting among and within different Government organizations and agencies. There is no simple solution for this age-old problem, however. Interestingly, the plan appears to put OMB (the Office of Management and Budget), which controls money within the US government, in charge. Whether this will help with the in-fighting
Feature Editors Jack Bologna William J. Caelli, FACS Jerome Lobel Belden Menkus Martin Smith
Publisher Anne Kitson
Marketing Matthew Smaldon
Production Co-ordinator Esther Ibbotson
Editorial Administrator Kate Dyer
579
From the editor-in-chief
problem is, however, unlikely. What may instead help is that the draft plan advocates making agencies accountable for security. This recommendation, which deviates substantially from how things have worked within government circles in the past, may do more to eliminate the pettiness that leads to rivalries and infighting than anything else. All things considered, the National Strategy to Secure Cyberspace is a potential big step forward. At a minimum, it is better than anything we have seen before. The document states that any progress achieved will come gradually, not instantly. And as the authors have said, it is impossible to solve all problems
580
in one writing effort. But after all is said and done, will cybersecurity practices within the US government (as well as in other governments) really improve? Unfortunately, the odds are against real progress because the government will continue to be its own worst enemy. Solving any government’s cybersecurity problems will require an overhaul of the government itself, something that is extremely unlikely to occur given that governments themselves develop a structure and modus operandi designed to resist change. E. Eugene Schultz, Ph.D, CISSP Editor-in-Chief
Editor Brian McKenna Elsevier Science PO Box 150, Kidlington, Oxford OX5 1AS UK Tel: +44-(0)1865-843656 Fax: +44-(0)1865-843244 Email: [email protected] http://www.compseconline.com
Academic Editor Prof. Eugene Spafford Department of Computer Science 1398 Computer Science Building Purdue University West Lafayette IN 47907 — 1398 USA Email: [email protected]
The US Government— bigger and better information security? For years the US Government has shown little progress in its cybersecurity efforts. It has produced a plethora of documents—the “Rainbow Series,” Federal Information Processing Standards (FIPS) and Office of Management and Budget (OMB) directives, agency-specific orders and handbooks, and so forth, as well as special positions, committees, councils, and commissions changed with investigating and fixing security problems. The General Accounting Office (GAO), which audits federal systems, often produces scathing findings. But the actual level of security within US Government systems and networks has not changed much over time. Attackers have historically been able to freely prey on US Government systems; this is still very much true. The tragic events of September 11 caused drastic changes within the US government New counterterrorism legislation now exists, huge amounts of funding have been allocated to fight terrorism, and the Department of Homeland Security has been created in response to terrorist threats. Some information security professionals predicted that demand for cybersecurity would increase dramatically; others said that there would be little impact. The latter appear to have the upper hand so far, but recent developments may change things. The US recently distributed a draft version of its National Strategy to Secure Cyberspace (see www.whitehouse.gov/pcipb). This document presents a draft plan for protecting the US computing infrastructure that focuses on home users and small business, large enterprises, critical sectors, and national and global priorities. Although this plan is much too extensive to discuss in detail here, I’d like to share some of my thoughts about it.
578
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
On the positive side, all things considered, this document represents a very competent effort. What is especially impressive is the sheer number of different approaches and methods advocated —the plan is for the most part quite comprehensive. Achieving security among home computer users is, for example, among the many areas this plan covers. Prescriptions for the private sector includes not only the usual “best practices” measures, but also measures such as having boards of directors providing tough scrutiny of a corporation’s cybersecurity practices. Measures prescribed for the federal sector include not only “the same old same old” measures, but also annual security reviews for the entire federal sector and tracking of progress. The document also gives security awareness and training, one of the most timeproven and cost effective methods, its just due. Furthermore, I liked the attention paid to the importance of computer crime legislation, especially from a global perspective. The current void of meaningful computer crime
From the editor-in-chief
Senior Editors John M. Carroll Ronald Paans Charles Cresson Wood Jon David Richard Ford
IS Audit Editor Stephen Hinde
Legal Editor August Bequai
legislation is indeed one of the greatest limitations in the fight against computer crime. Additionally, the authors have advocated use of strong authentication such as through biometrics, smart cards, and token devices. Finally, I like its emphasis on the need to secure wireless networking, an issue that certainly will only grow in importance over time. On the down side, this document contains several ignorant statements such as: “Approximately 70 percent of all cyber threats are believed to be perpetrated by trusted insiders.” Apparently the authors are not cognizant of recent statistics, such as those found on www.gocsi.com. Additionally, the National Strategy to Secure Cyberspace purports to address infrastructure protection concerns, but devotes too much attention to the home user problem. Home computers are now much more of a target than they were several years ago, but home computer security issues pale in comparison to true national infrastructure threats. Much home usage is, after all, recreational in nature, and the attention paid to this issue diverts attention from other, considerably more critical national infrastructure-related issues. Furthermore, I am disappointed with the simplicity of the best practices for industry described in this draft. These practices do not seem like best practices, but rather more like baseline (minimal) practices. And I am perplexed by the fact that although there is sufficient emphasis upon intrusion response, the area of intrusion detection is for all practical purposes omitted.
Yet without effective intrusion detection, incident response languishes. Another concern is the call for a continuing cycle of risk assessment. I question relying on risk assessment as we know it, given the level of uncertainty it still leaves us with and the high cost of performing this activity. The authors should at least have considered adhering to “due care” practices as a more tangible and cost-effective alternative. My “pet peeve,” however, is that the document repeatedly calls for cooperation between the public sector and law enforcement, but never addresses the two greatest obstacles, lack of trust of and competence within the law enforcement community. Will the private sector cooperate better with law enforcement merely because the National Strategy to Secure Cyberspace calls for cooperation? The plan discusses the possibility of security service provider and other types of certification, but never mentions independent certification of law enforcement as well as other government personnel, something what would almost certainly at least boost competency levels. I am nearly as dismayed that the draft plan does not address one of the biggest impedances to better cybersecurity within the government—in-fighting among and within different Government organizations and agencies. There is no simple solution for this age-old problem, however. Interestingly, the plan appears to put OMB (the Office of Management and Budget), which controls money within the US government, in charge. Whether this will help with the in-fighting
Feature Editors Jack Bologna William J. Caelli, FACS Jerome Lobel Belden Menkus Martin Smith
Publisher Anne Kitson
Marketing Matthew Smaldon
Production Co-ordinator Esther Ibbotson
Editorial Administrator Kate Dyer
579
From the editor-in-chief
problem is, however, unlikely. What may instead help is that the draft plan advocates making agencies accountable for security. This recommendation, which deviates substantially from how things have worked within government circles in the past, may do more to eliminate the pettiness that leads to rivalries and infighting than anything else. All things considered, the National Strategy to Secure Cyberspace is a potential big step forward. At a minimum, it is better than anything we have seen before. The document states that any progress achieved will come gradually, not instantly. And as the authors have said, it is impossible to solve all problems
580
in one writing effort. But after all is said and done, will cybersecurity practices within the US government (as well as in other governments) really improve? Unfortunately, the odds are against real progress because the government will continue to be its own worst enemy. Solving any government’s cybersecurity problems will require an overhaul of the government itself, something that is extremely unlikely to occur given that governments themselves develop a structure and modus operandi designed to resist change. E. Eugene Schultz, Ph.D, CISSP Editor-in-Chief