Mr. Schmidt goes to Washington

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/storyba/0,4125,NAV47_STO66708,00.html

By DAN VERTON 
December 17, 2001 

WASHINGTON -- The pending appointment by President Bush of Microsoft
Corp.'s chief security officer Howard Schmidt to the No. 2 position at
the U.S. government's Critical Infrastructure Protection Board raises
an important question about the homeland security effort: Should
private-sector experts be heading for the White House or frontline
security agencies?

News of Schmidt's expected appointment, first reported by
Computerworld last week, comes as the federal government's
cybersecurity and critical infrastructure protection (CIP) community
struggles to define itself amid a growing bureaucracy focused on
homeland security.

While many experts praised the addition of Schmidt to the government's
CIP team, others said tangible steps need to be taken to improve the
government's focus and the private sector's cooperation with frontline
cybersecurity agencies such as the FBI's National Infrastructure
Protection Center. The NIPC, based at FBI headquarters in Washington,
was formed in 1998 to handle threat assessment, investigations and
responses to any attacks on critical U.S. infrastructures.

Despite lessons learned from the Sept. 11 terrorist attacks on the
U.S., which demonstrated the nation's vulnerability to physical
disruptions and the interdependency of its critical infrastructures,
the government and private-sector stakeholders in the CIP effort
remain uncertain about the definition of critical infrastructure
protection and, in some cases, uninvolved -- a problem that a
political appointment like Schmidt's can't fix, experts said.

"A large majority of the focus up until Sept. 11 has been on the
information security side of the equation, and there has been a
limited focus on infrastructures, particularly physical disruptions
and the interdependencies that proved so important during the Sept. 11
attacks," said Paula Scalingi, former director of the U.S. Department
of Energy's Office of Critical Infrastructure Protection and now
president of The Scalingi Group, a Tysons Corner, Va.-based
infrastructure security consulting firm.

The security industry still hasn't come to grips with defining the
scope of critical infrastructure protection, she said.

The more pressing need, said government and private sector officials,
is for industry experts like Schmidt to provide sector expertise to
the NIPC so that interdependencies between the telecommunications
grid, power grid, energy pipelines, emergency service networks and
other critical services can be better understood.

In fact, NIPC director Ronald Dick acknowledged last August a critical
need for private-sector expertise (see story). "I need people who know
gas and water, people who know electric power and the transportation
system," he said.

Dick has praised the relationship between his agency and the North
American Electric Reliability Council in Princeton, N.J., citing it as
one of the first arrangements where classified cybersecurity
information is being shared with industry.

However, the electric power industry is a prime example where
cooperation and focus remains a moving target. Joe Weiss, technical
manager of the enterprise infrastructure security program at the
Electric Power Research Institute in Palo, Alto, Calif., said the fact
that some of the leading suppliers of IT systems that control electric
power throughout the country aren't members of the Partnership for
Critical Infrastructure Security (PCIS) is a major threat to critical
infrastructure. The PCIS is a key government/private-sector security
organization now working to enhance IT security,

"The Web sites will be safe, but the lights will be out, and water and
oil won't flow," said Weiss, stressing the fact that existing IT
technology won't work in industrial control systems and, in some
cases, can actually shut them down. "There have been vulnerability
assessments done and these important control systems have been shown
to be vulnerable," he said. "This is not in any way, shape or form
hypothetical."

GTE Corp., one of the suppliers mentioned by Weiss, couldn't be
reached for comment. However, Bud Greebey, a spokesman for Siemens AG,
another major supplier of critical industrial systems, said the
company is "not aware of any overtures to us from the PCIS." Even so,
the premise behind the PCIS is something Siemens fully supports, he
said.

Ron Ross, director of the National Information Assurance Partnership,
a Washington-based government-industry consortium led by the National
Institute of Standards and Technology and the National Security
Agency, agreed that there is an education and awareness gap regarding
potential vulnerabilities in some important systems and networks that
comprise the critical infrastructure.

"We now have to begin to delve into a variety of areas that need
significant attention with regard to computer security," said Ross.

Alan Paller, director of the SANS Institute in Bethesda, Md., said
every technical, hands-on expert that the NIPC can add to its ranks
from the private sector would immediately help the cause of homeland
security. And while Schmidt offers policy expertise to the government,
his addition to the President's Critical Infrastructure Protection
Board "directly supports" the NIPC, said Paller.

A former senior government official, speaking on condition of
anonymity, said appointments that are heavy on prestige but light on
hands-on analysis capabilities aren't what's needed right now. "They
[the NIPC] need sector expertise and particularly analytic
capabilities to address infrastructure interdependencies," the
official said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.