Report shows holes in cybersecurity plan

[InfoSec News <isn () c4i org>]

http://www.govexec.com/dailyfed/0604/062104tdpm1.htm

By William New
National Journal's Technology Daily
June 21, 2004

A report sent to a House oversight committee last month details the
Homeland Security Department's progress in implementing the national
cybersecurity strategy issued early last year.

The 35-page report, sent in reply to a request by the House Homeland
Security Committee for a detailed account of the strategy's
implementation, shows both progress and remaining work. There has been
no formal progress report from the Bush administration since the
strategy's release in January 2003.

The report also breaks down the fiscal 2005 funding request for each
item. The department's National Cyber Security Division is leading the
implementation.

The report shows that an assessment of vulnerabilities to critical
infrastructures long sought by Congress is targeted for 2005, with a
process for assessing Internet weaknesses due later this year.

Perhaps the most touted accomplishment in the report is the
establishment of a public-private structure for responding to
national-level cyber incidents by designating the U.S. Computer
Emergency Readiness Team (US-CERT) as the department's cybersecurity
operational body. US-CERT, a long-respected operation at
Carnegie-Mellon University, launched a national cyber-alert system in
January.

US-CERT now includes the former Federal Computer Incident Response
Center (FedCIRC) transferred to Homeland Security from the General
Services Administration. This summer, it is launching a private-public
partnership involving the panorama of stakeholders in the critical
infrastructure community, and this year the center will update various
aspects of a "partner portal," a secure Web site for coordination and
information sharing.

Work remains on an "ambitious and necessary" mandate in the strategy
to develop a round-the-clock cyber-response center, the department
said. "There exist a number of active and planned projects within the
[cybersecurity division] to locate and combine the correct mix of
people, processes and technology needed to create this capability,"  
the report said. For instance, a new "watch center" combining various
functions is being built for early next year.

The department is expanding the Critical Infrastructure Warning
Information Network (CWIN), a private communications network for voice
and data with no dependence on the Internet or public network. CWIN
terminals have been installed in key government and industry network
centers and in a United Kingdom facility. Other extensions are
underway in the project, for which $12.8 million is requested for
fiscal 2005.

The Cyber Interagency Incident Management Group, created to coordinate
intra-governmental preparedness and response operations, was created
after the Livewire simulated terrorist attack exercise in October
2003. A compromise amendment to the Homeland Security appropriations
bill on the Senate floor this week would move more funding within the
cybersecurity division's budget to cyber exercises, increasing that
item from $1.85 million to $3.5 million, according to an
administration official.

The report describes a number of active exercises nationwide.

The report also identifies issues related to: overcoming
private-sector reluctance to share proprietary information with the
government, authenticating electronic transactions, improving the
security of government work "outsourced" to the private sector,
securing wireless networks, improving state and local information
sharing and analysis centers, and enhancing the ability to identify
sources of cyber attacks.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)