Early warning center for cyber attacks in trouble

[InfoSec News <isn () C4I ORG>]

http://www.upside.com/News/3964c7eb0.html

by Ben Charny
July 06, 2000

The government's own computer systems may be derailing an effort
between public agencies and private companies to create an early
warning system for cyber attacks, the government's chief
cyber-security man believes.

Since 1998, a skittish private industry and the federal government
have been working together to create a gigantic database of every
hacking or computer hijacking incident, from the Love Bug viruses to
small incidents that the public rarely hears about. By 2003, they
hoped a constantly updated tool to combat, fight and forecast cyber
attacks would emerge.

Aside from the usual pitfalls of a private/public endeavor, the
project has been moving along smoothly. But last week, GAO director
Joel C. Willemssen, director of civil agencies information systems,
told a congressional committee that security for the government
computers where the info would be stored is so bad it may be driving
away private business.

Why trust the government?

Why would a business trust sensitive information with a government in
which 22 of its largest agencies suffer from some form of computer
security problems, including poor controls over access to sensitive
data?, he testified.

Some agency managers are getting "overly broad" access privileges to
very large user groups, and some users' shared accounts and passwords
are posted in plain view, Willemssen said. The problems seem to be a
"poor security management program" including testing systems for
security flaws, he says.

"To truly engage the private sector, the federal government needs to
be a model for computer security. Currently, the federal government is
not a model," he testified.

Bruce Shier, chief technology officer of Counterpane Internet Security
Inc. in San Jose, Calif., says private businesses are well aware that
historically the government hasn't done well protecting its own
secrets.

"When you share your information you have to ask, can you protect it?
They are asking for critical information about vulnerabilities. Or
security events that aren't made public by company, but you don't want
it out. Suddenly it's all over the world," he said. "A large
collection of secret information is, by definition, a target."

Project derailed as momentum builds

The problem threatens to derail the effort just as it is beginning to
pick up momentum.

President Clinton hatched the idea in 1998. Since 1999, several
industries have begun setting up information sharing networks. These
Information Sharing and Analysis Centers (ISACs) will make up the
early warning database.

The first sector to have an ISAC was the financial industry, which has
had one since 1999. In June, the Information Technology Association of
America will be organizing an ISAC as well.

Dan Woolley, the president of Global Integrity Inc. is familiar with
both ISACs. He says the information is run through an "anonymyzer," a
program that strips the information of any material identifying its
source. Then it's either stored or disseminated, depending on the
urgency.

Bill to protect private information

While the government tackles the problem of illegal information
gathering, a bill in Congress is trying to take care of another
industry concern: the legal release of information to the public.

The bill is essentially a change in the Freedom of Information Act,
which governs what information public entities must make available to
the public. The bill would make anything in an ISAC exempt from public
FOIA requests.

It would also bar federal or state agencies from using the information
to sue in civil court and let President Clinton hire non-government
agencies to talk about the government's cyber security.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".