The US government is doing too little to encourage
cybersecurity efforts outside of government and it still needs to
get its own house in order, two security experts have
claimed.
The government's main cybersecurity law might do nothing more
than bury bureaucrats in paperwork, one witness at a House
Government Reform Committee hearing testified.
Another witness called on the government to push for more secure
internet standards and for government agencies to separate their
websites from networks containing security-sensitive
information.
The US government's own Federal Information Security Management
Act (FISMA), passed in 2002 in an attempt to require US agencies to
track their cybersecurity efforts, "runs the risk of becoming a
paperwork exercise", said Kenneth Ammon, president of NetSec, a
managed security service company.
FISMA's emphasis on certification and accreditation (C and A) of
computer systems can help ensure security measures are built into
new software, but Ammon told the committee that it was difficult to
apply certifications to existing or older legacy systems.
The US government also should push for internet tools such as
Border Gateway Protocol and the Domain Name System to include
authentication security, added Thomson Leighton, chief scientist at
Akamai Technologies, a distributed computing platform company. Both
BGP and DNS lack authentication, making it relatively easy for
hackers to redirect internet traffic.
Leighton added that the US government should push for new
security measures on the internet. "I don't think we need to
replace the internet to make it more secure. It's improving the
protocols. The federal government can certainly play an important
role in highlighting the problem."
Committee chairman Tom Davis asked if those protocols would be
improved quickly if the federal government did not push for it.
Leighton answered no.
Leighton also called on US government agencies to separate their
public-facing websites from other government networks. "As long as
the public is invited into government networks to access websites,
it is difficult, if not impossible, to prevent unwanted access by
hackers," he said.
"Today you have a situation where there are many government
networks where they have thousands of public-facing websites
sitting side by side with sensitive government services. That's a
recipe for problems."
When asked if separating public websites from sensitive
government networks would reduce public access to government
information, Leighton said the opposite would happen. With
government websites running on their own networks, those sites
would be faster to access and cheaper to maintain, he added.
When the committee chairman put the question of separating
websites from other government data to Karen Evans, the
administrator of the Office of Electronic Government in the White
House Office of Management and Budget (OMB), she said it may work
on an agency-by-agency basis.
"That is an alternative that's considered," she added. "If that
is the best solution for that agency's cybersecurity posture, as
well as meeting the mission that they need, that's an alternative
that's evaluated."
The testimony from Leighton and Ammon was important, Davis said,
but he was unsure it made him feel better about US cybersecurity
efforts. "My primary goal today is one of public education.
Computer security can no longer be relegated to the back benches of
public discourse, or remain the concern solely of governments or
corporate technology experts."
But Evans, the new chief information officer for the White House
OMB, defended government cybersecurity efforts, saying the
Department of Homeland Security's Federal Computer Incident
Response Center works with law enforcement agencies and private
industry to promote incident reporting and cross-agency sharing of
data about vulnerabilities.
Forty-seven US agencies subscribe to FedCIRC's Patch
Authentication and Dissemination Capability, she added.
"OMB is committed to a federal government with resilient
information systems," Evans said. "The dangers posed by the
internet must not be allowed to significantly affect agency
business processes or disrupt services to the citizen."
Grant Gross writes for IDG News
Service