The US government is doing too little to encourage cybersecurity efforts outside of government and it still needs to get its own house in order, two security experts have claimed.
The government's main cybersecurity law might do nothing more than bury bureaucrats in paperwork, one witness at a House Government Reform Committee hearing testified.
Another witness called on the government to push for more secure internet standards and for government agencies to separate their websites from networks containing security-sensitive information.
The US government's own Federal Information Security Management Act (FISMA), passed in 2002 in an attempt to require US agencies to track their cybersecurity efforts, "runs the risk of becoming a paperwork exercise", said Kenneth Ammon, president of NetSec, a managed security service company.
FISMA's emphasis on certification and accreditation (C and A) of computer systems can help ensure security measures are built into new software, but Ammon told the committee that it was difficult to apply certifications to existing or older legacy systems.
The US government also should push for internet tools such as Border Gateway Protocol and the Domain Name System to include authentication security, added Thomson Leighton, chief scientist at Akamai Technologies, a distributed computing platform company. Both BGP and DNS lack authentication, making it relatively easy for hackers to redirect internet traffic.
Leighton added that the US government should push for new security measures on the internet. "I don't think we need to replace the internet to make it more secure. It's improving the protocols. The federal government can certainly play an important role in highlighting the problem."
Committee chairman Tom Davis asked if those protocols would be improved quickly if the federal government did not push for it. Leighton answered no.
Leighton also called on US government agencies to separate their public-facing websites from other government networks. "As long as the public is invited into government networks to access websites, it is difficult, if not impossible, to prevent unwanted access by hackers," he said.
"Today you have a situation where there are many government networks where they have thousands of public-facing websites sitting side by side with sensitive government services. That's a recipe for problems."
When asked if separating public websites from sensitive government networks would reduce public access to government information, Leighton said the opposite would happen. With government websites running on their own networks, those sites would be faster to access and cheaper to maintain, he added.
When the committee chairman put the question of separating websites from other government data to Karen Evans, the administrator of the Office of Electronic Government in the White House Office of Management and Budget (OMB), she said it may work on an agency-by-agency basis.
"That is an alternative that's considered," she added. "If that is the best solution for that agency's cybersecurity posture, as well as meeting the mission that they need, that's an alternative that's evaluated."
The testimony from Leighton and Ammon was important, Davis said, but he was unsure it made him feel better about US cybersecurity efforts. "My primary goal today is one of public education. Computer security can no longer be relegated to the back benches of public discourse, or remain the concern solely of governments or corporate technology experts."
But Evans, the new chief information officer for the White House OMB, defended government cybersecurity efforts, saying the Department of Homeland Security's Federal Computer Incident Response Center works with law enforcement agencies and private industry to promote incident reporting and cross-agency sharing of data about vulnerabilities.
Forty-seven US agencies subscribe to FedCIRC's Patch Authentication and Dissemination Capability, she added.
"OMB is committed to a federal government with resilient information systems," Evans said. "The dangers posed by the internet must not be allowed to significantly affect agency business processes or disrupt services to the citizen."
Grant Gross writes for IDG News Service