Cyberwar Foundering on Feuds?

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/conflict/0,2100,47403,00.html

By Michelle Delio 
2:00 a.m. Oct. 9, 2001 PDT 

Some government agency workers charged with protecting critical
computer systems are increasingly becoming entangled in
counterproductive, time-wasting power plays, according to sources
inside and outside of the agencies.

Political power plays aren't news, but the struggle between the
FBI-led National Infrastructure Protection Center (NIPC) and the newly
formed Homeland Security Office has many doubting that either agency
will be able to perform at peak levels over the next few months.

The NIPC, established in February 1998, was assigned to protect U.S.
critical systems against terrorism and other attacks, duties that have
now also been assigned to the Homeland Security Office (HSO), formed
in response to the Sept. 11 terrorist attacks.

Over the years the NIPC has increasingly focused on computer security,
but the HSO also has a new cyber-security division.

"Homeland Defense wants the NIPC to report to them, but the NIPC
believes they should be the cyber-security office," said Rob
Rosenberger of security news site Vmyths.

"Fights have started to break out over the lines and boxes on Homeland
Security's organization chart. The Bush administration will waste a
lot of time and effort over the next few months while offices jockey
for position."

Sources inside the agencies confirmed there has been some confusion
and tension over who will report to whom but insist that the majority
of employees in both agencies remain focused.

"This isn't the time to play political slap and tickle with each
other. We need to get focused fast," said an FBI agent who requested
anonymity.

But security experts are divided over whether the agencies can put
power plays aside.

President Bush installed former Pennsylvania Gov. Tom Ridge as head of
the Office of Homeland Security on Monday, pledging, "America is going
to be prepared."

Richard Clarke, who has served as counter terrorism chief at the White
House for more than a decade, will head the new Office of Cyberspace
Security and will report to Ridge. But according to the presidential
order that outlines his job, Ridge has little power, beyond
persuasion, to compel other agencies or officials to do anything.

"I'm just not impressed with the overall United States government
infrastructure assurance effort," said Richard Forno, chief technology
officer for Shadowlogic.

Forno has acted as an adviser to the Department of Defense on
information warfare. "Clarke actually has a clue about this stuff, but
given the environment he's charged with working in, he can't be
effective."

Ridge's office declined to comment on how or if Ridge will be able to
coordinate efforts between his staff and agencies that have
historically avoided working together.

"Yes, there are issues. Yes, Ridge can request but not compel. That
will be taken advantage of by some. Understand though, times are very
different now. Most people are putting all that previous pettiness
aside, at least for a while. Ridge is well respected here," said the
FBI agent previously quoted.

Others said that it would be difficult for the agencies to work
together, but felt that the situation would be swiftly sorted out.

"Will there be clashes between the agencies? Yes. Is that OK? Well,
it's normal," said security expert Fred Villella. "Like
cyber-terrorism itself, this situation isn't out of control; but it
isn't under control either."

Villella was the executive secretary to the president's national
security adviser for emergency mobilization under the Reagan
administration. He now heads up New Dimensions International, a
security services company that recently introduced training against
cyber-terrorism attacks.

"There will be big turf issues to be resolved with FEMA (Federal
Emergency management Agency), NIPC and all of the other 'letter'
agencies," said Villella. "That is inevitable. And for many,
(computer) skills and getting a grip on the dimensions of cyberspace
and their adversaries' capabilities are needed competencies that have
yet to be acquired."

"But we do need a focus to direct attention to cyber-security. Richard
Clark and Tom Ridge's combined talents and drive in the right
direction will improve the approach," Villella said. "(It's) a very
tough task.... They will have to screen who they are influenced by.
There are those selling products like me, and there are a lot of
hacker types who focus on cryptography solutions. Which of these
approaches are right for the cyber-terror task? Or is there more than
one solution?"

Security experts said that basic measures, such as disconnecting
entire critical infrastructures from the Internet and ensuring that
all software meets stringent security guidelines, would go a long way
toward hardening U.S. cyber-defense.

Experts also pointed out that the government will most likely continue
to be led in their efforts to lock down computer systems by the
private computer security industry.

"The computer security industry guides the government, not the other
way around," Rosenberger said. "Face it: if a 'virus war' broke out,
our vaunted U.S. military would run like a helpless damsel to the
anti-viral industry."

Hackers or no hackers, Rosenberger and Forno don't hold out much hope
for governmental security experts.

"We'll see more meetings, taskforces, memos, reports etcetera," Forno
said. "Will it make a difference? It depends on how OHS is structured
and what authority Tom Ridge is given to force people in the
government to play ball. If, as it appears now, he is only to
coordinate things, it will never be effective."

"If the government does anything at all, it creates a bureaucracy,"
Rosenberger said. "Don't get me wrong, we need bureaucracies. And I
honestly believe the Feds will someday figure out what their
bureaucracy should do."

Rosenberger thinks that the NIPC will eventually come out on top of
the power heap.

"I'd bet on the gun-toting agents to win this one, especially if
Congress does enact a law to sentence virus writers to life in prison
without possibility of parole."

A new bill called Patriot (Provide Appropriate Tools Required to
Intercept and Obstruct Terrorism) -- which legally classifies many
hack attacks as acts of terrorism -- is making its way through the
House and Senate this week.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.