White House: U.S. still far from cybersecurity

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4994624-0.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
March 1, 2001, 1:35 p.m. PT

Thirty-three months after a presidential order mandated that
government agencies work to protect the United States' critical
infrastructure, most have merely taken a few baby steps toward
securing the country's computers and networks, according to a White
House report.

The report found that the government has made progress in cementing
industry-government partnerships around critical technologies,
securing Department of Defense networks, and forming at least one
education initiative for training security personnel. But it noted
that there is still no way to locate and fix vulnerable critical
systems and no means of tracking the progress of the various
departments' pursuits of cybersecurity.

"Achievements to date are notable, but there is still work to do,"
stated the report, released a week ago by the Critical Infrastructure
Assurance Office (CIAO).

On May 22, 1998, President Clinton signed Presidential Decision
Directive 63, a rallying cry for the United States government to work
with industry to secure the country's critical computer systems from
cyberattack. The directive called for a national plan to protect such
systems and periodic reports of the progress made in securing the U.S.
infrastructure.

The 209-page interim report--requested by Congress as part of a
defense appropriations bill passed last October--laid out, agency by
agency, where the United States stands. While the National Plan
released a year ago seems to be on track, most agencies are still in
the information gathering stage.

In fact, in a survey released last September, the General Accounting
Office found that the vast majority of federal systems remained
vulnerable to attack.

The CIAO report agreed. "More of the American economy has become
dependent on IT systems," it stated. "Those who have the skills and
tools to disrupt our networks and systems have also increased, in
numbers and in capabilities. Malicious individuals, criminal groups
and nation states present significant threats to U.S. information
systems."

CIAO hopes to solve the major lack of information through a new
initiative dubbed Project Matrix. The project aims to identify key
systems in the government and identify how they could be attacked and
what would happen in the event of such an attack.

The project has so far red-flagged more than 4,000 physical and cyber
"assets" that will need to be protected among the 14 government
agencies--plus the military and intelligence communities--that have
taken part in the project to date. Fifty of the unnamed assets have
been bumped to the top of the critical list and given a green light
for further analysis because of their importance.

Not all agencies have taken part in the program, however. Both the
Securities and Exchange Commission and the Environmental Protection
Agency have only started to work with the Matrix analysis teams, while
both the Department of the Interior and Department of Transportation
have remained aloof, according to the report.

That makes the next three years a critical period, as networks become
more integrated and the threats more serious.

"While ongoing efforts continue to increase security on the nation's
current (information) systems, government and industry must insure
that security is designed into next-generation networks," the CIAO
report stated.

"Economic growth, better government service and efficiency, and a
stronger defense are all possible in the years ahead if we continue to
give a high priority to securing cyberspace."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".