Senate Delay Muddles Security Reporting

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,598611,00.asp

By Dennis Fisher 
October 7, 2002 

As the bill authorizing the proposed Department of Homeland Security
languishes in the Senate, government officials are discussing the
possibility of informally consolidating federal information security
agencies, according to sources familiar with the plan.

The effort would take the place, at least temporarily, of more formal
consolidation spelled out in the Homeland Security proposal, sources
said. Specifically, the new plan calls for the FBI's National
Infrastructure Protection Center, the Federal Computer Incident
Response Center and other organizations to begin meeting on a regular
basis, weekly perhaps, and share duties and results from their
operations, they said.

The move comes amid growing concern among security experts that delays
in the passing of the bill are hampering sorely needed efforts to
improve vulnerability reporting and response.

"I think if [the delay] lasts more than four or five weeks, [the
informal consolidation] will happen and probably without any
government edict," said Alan Paller, director of research at The SANS
Institute, in Bethesda, Md.

Security experts say the fact that the government is even discussing
such an idea outside the Homeland Security bill is indicative of how
much things have changed in Washington.

"The government after [Sept. 11, 2001] realized that their methods for
gathering intelligence and sifting it wasn't working," said Kevin
Nixon, senior director of business strategy on the staff of the chief
security officer at Exodus, a subsidiary of Cable & Wireless plc.,
based in London. "They need to use nonconventional methods. It shows
they're using breakthrough thinking."

Government officials, particularly Richard Clarke, chairman of the
President's Critical Infrastructure Protection Board, have said they
want security researchers to report new vulnerabilities directly to
the government and no one else, except the affected vendors. But the
rat's nest of federal security groups and their fuzzy areas of
responsibility make such reporting difficult.

What's needed, researchers say, is a single point of contact within
the government for vulnerability reporting.

"There's so much overlap with all of them, you never know who to deal
with," said Dan Ingevaldson, team lead on the X-Force research and
development team at Internet Security Systems Inc., in Atlanta. "It's
pretty obvious there's a need [for consolidation of the government's
personnel]."

In the meantime, however, government officials are urging researchers
to take care with their discoveries.

"It is irresponsible when you find a vulnerability to tell everyone in
the world about it. It is the height of irresponsibility," Clarke said
this week. "Tell the right people and keep it secret until a patch can
be distributed."

The administration - and much of Congress - had hoped to enact the
Department of Homeland Security bill by Sept. 11. In July, the House
of Representatives approved a bill supporting the administration's
vision for the department, but the legislation is stymied in the
Senate, where a partisan debate over the collective bargaining rights
of department employees has prevented a vote.

The Senate had planned to adjourn by the middle of this month in light
of next month's election, but efforts to bring the Department of
Homeland Security measure to a vote may keep the chamber in session
longer and may bring lawmakers back to Washington after the election.  
At this point, the issue appears sufficiently bogged down to preclude
a vote before the 107th Congress comes to a close. If that happens,
debate could begin from scratch when the new Congress convenes in
January.

As proposed, the Information Analysis and Infrastructure Protection
section of the Department of Homeland Security would subsume a portion
of the NIPC, FedCIRC, the Critical Infrastructure Assurance Office at
the Department of Commerce, the National Communications System at the
Department of Defense, and the Department of Energy's National
Infrastructure Simulation and Analysis Center, as well as taking some
personnel from the Secret Service. Currently, these groups operate
autonomously, with little information shared among them.





-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.