A spending tug of war

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/1007/news-energy-10-07-02.asp

By Megan Lisagor 
Oct. 7, 2002

Working from its fiscal 2002 spending account, DOE's NNSA had $555
million for safeguards and security. Of that, $58 million was
earmarked for information security, according to the official, who
asked to remain anonymous. But some of that money was reallocated to
guards, their overtime pay and other physical defenses after the
attacks, the source said.

The timing couldn't be worse.

"We're barely holding our own in being able to keep up our defenses,"  
the official said. "We can handle the basic stuff, but [not] the
really sophisticated ways of attacking and moving data."

It boils down to a spending tug of war, cybersecurity experts said.

After Sept. 11, my "first priority was to assure the safety and
security of nuclear weapons, the weapons complex and its employees,
special nuclear material and other high value assets," NNSA
Administrator John Gordon wrote in the agency's budget request for
fiscal 2003.

Gordon augmented protective forces and established a heightened
security posture, according to the proposal. In addition, the agency
formed a task force to recommend immediate improvements and develop an
action plan for future enhancements.

The agency received $30 million in supplemental funding, part of which
went to accelerate the deployment of near-term cybersecurity measures
at all of its nuclear weapons complex sites, a DOE spokesperson said.

But "we're still short of funds," the Energy official said.

At NNSA, security is key. The agency takes a three-layer approach to
its network architectures, similar to a bull's eye with green, yellow
and red circles for unclassified/nonsensitive, sensitive and
classified information, respectively, according to the official.

Although NNSA tracks and monitors red very well, the source said,
yellow is weaker because the agency has had to devote its resources to
the green layer, which has the most open access and limited firewall
capability.

NNSA also doesn't have the funds to continue a project that addresses
the so-called insider threat, posed by individuals with legitimate
access to its networks, according to the source.

It's a threat the agency has dealt with in the past. In 1999,
scientist Wen Ho Lee was charged with copying secret nuclear
information from a secure computer at Los Alamos National Laboratory.  
In a separate case the next year, classified computer drives were
reported missing and then found at the lab.

Despite a spate of problems, the alleged money transfer doesn't
surprise cybersecurity experts. "It's consistent," said Eugene
Spafford, professor and director of Purdue University's Center for
Education and Research in Information Assurance and Security. "What we
don't have enough of, in this realm in particular, is the kind of
long-term thinking that has occurred in other areas."

Blaine Burnham, director of the Nebraska University Consortium on
Information Assurance and a senior research fellow for the University
of Nebraska at Omaha's College of Information Science and Technology,
agreed. "Generally, it runs true to form with what has happened to
cybersecurity budgets over time. It doesn't have the sizzle. Guards
with big, barking dogs have lots of sizzle.

"That's not to say that the NNSA hasn't made an introspective analysis
of where [its] needs are," Burnham said.

NNSA has asked Congress for $510 million for safeguards and security
for fiscal 2003, with $72 million set aside for cybersecurity, but
expects to get $66 million to protect its networks, the DOE official
said, adding that the agency needs about another $30 million to get
the job done.

"There's a lot of turmoil in the federal government in general trying
to get all security - information and physical - sorted out," said
Chip Lawson, business development director for Harris Corp.'s
security-threat avoidance technology network group.

In a boon to cybersecurity, the Bush administration last month
released a draft National Strategy to Secure Cyberspace. Some IT
experts criticized the plan as too weak for not setting specific
requirements for the public and private sectors.

DOE officials were unavailable for comment.

Challenging mission Congress created the National Nuclear Security
Administration in fiscal 2000 to carry out the Energy Department's
programs in nuclear weapons, defense nuclear nonproliferation and
naval reactors. Its facilities include Lawrence Livermore, Los Alamos
and Sandia national laboratories. "They have possibly the most
significant information and physical security challenge in the nation,
if not the world," said Blaine Burnham, who previously held
information assurance roles at the National Security Agency, Los
Alamos and Sandia.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.