By John Leyden
13th October 2005
... without a paddle
US cybersecurity risks are being poorly managed by the Department of
Homeland Security, according to a former US presidential information
security advisor. Peter Tippett, who recently served a two-year term
on the President's Information Technology Advisory Committee, said a
lack of leadership on electronic security left the US at a greater
risk of electronic attack.
Tippett, who is now chief technology officer with managed security
firm CyberTrust, compared Homeland Security's posture in defending
against electronic attacks to the lack of preparation by FEMA (Federal
Emergency Management Agency) in managing relief efforts for Hurricane
Katrina. "Something similar happened when Homeland Security got
responsibility for both FEMA and computer security. When
responsibility was transferred from the White House to Homeland
Security good people left the top. There's confusion over reporting
lines and no leadership," Tippett told El Reg.
US government's cybersecurity responsibilities - along with those of
FEMA - were transferred from the White House to the Department of
Homeland Security during a reshuffle of 22 federal agencies three
Tippett's criticisms are echoed by accusations that Homeland Security
is illprepared for emergencies and beset by bureaucratic bungling by
auditors and segments of the security industry.
However, Howard Schmidt, chief exec of R&H Security and a former
senior White House cyber security advisor, defended the Homeland
Security agency's record. "There's been a lot of criticisms but they
don't take into account the good work that the Homeland Security
agency is doing. It is doing all it can to improve government systems
whithin the priorities it has. We are getting incrementally better
systems. Improvements will take time."
Back to basics
Schmidt made the comments at the SecureLondon conference, organised by
security training and certification body ISC(2), in London earlier
this week. Both Schmidt and Tippett have radical ideas for improving
cybersecurity in the IT industry. Schmidt wants to see software
developers held personally accountable for the security of the code
they write. This is a radical idea idea but who is to blame for a Win
XP security bug, for example? It would take the brain of Sherlock
Holmes to apportion personal blame for that on any one developer, we
Tippett advocates the wider adoption of basic security defences rather
than government standards, which "don't translate into fewer hacker
attacks". It would be better if PCs denied actions by default rather
than permitting anything that was not known to be bad, he argued.
Tippett is credited with creating one of the first commercial
anti-virus products, which later became Symantec's Norton Anti- Virus.
He is highly critical of the industry he helped create.
"The anti-virus industry is not interested in default deny because if
they did that they wouldn't be able to sell updates," he said.
"Information security problems are getting worse, even though people
are spending more. Throwing money at the problem isn't helping. All
the market wants to do is sell new gizmos," he added. =AE
InfoSec News v2.0 - Coming Soon!