IT security: Too big for government

IT security: Too big for government
IT security: Too big for government 

By William Jackson
GCN Staff
08/13/07 issue

Agencies can lead, but the private sector needs to tackle the problem, 
experts say
Information technology security and information assurance are becoming 
too critical, too big and too complex a problem for the government to 
handle by itself, according to two security experts. But they disagree 
on how well government and industry are responding to the need for 
greater cooperation to improve cybersecurity.

Tony Sager, chief of the National Security Agencys Vulnerability 
Analysis and Operations Group, said in an opening address at the recent 
Black Hat security conference in Las Vegas that government needs 
industrys help and that NSA is reaching out to industry.

Weve got to figure out how to solve this problem with solutions that 
scale across the entire community, Sager said. That means his agency 
must bring its information to the table and find common ground with the 
private and academic sectors.  Were from the government and were here to 
help doesnt work with this crowd.

According to Richard Clarke, former U.S. counterterrorism czar, who 
shared the opening keynote address slot with Sager, the governments 
culture must change a lot more before the countrys critical 
infrastructure can be secured.

Id like to know why it was that we lost momentum in solving the problem 
in more than a piecemeal manner, Clarke said in an interview with 
Government Computer News. There is no leadership. There is no national 
plan implemented.

Industry, commerce, health care and national defense increasingly rely 
on an Internet that remains brittle and open to attack and disruption, 
Clarke said. The day-to-day environment is replete with crime and 
espionage. We are accepting a high level of cost we neednt accept. But 
weve done nothing to solve the problem.

Clarke has been a high-profile critic of the nations cyberdefense 
efforts since his retirement from government in 2003. Now the chairman 
of Good Harbor Consulting, he served under four presidents, from Ronald 
Reagan to George W. Bush. His last government position was chief 
counterterrorism adviser under Presidents Clinton and Bush, and he 
helped develop the National Strategy to Secure Cyber Space, released in 
February 2003.

Despite concerns about a lack of leadership, change is occurring, Sager 
said. Although much of NSAs work remains secret, Sagers organization in 
the agency is a reflection of the need to work with industry to develop 
open and standardized security and research practices.

When Sager began working at NSA in 1977, it was a dramatically different 
security problem, he said. IT security was a government monopoly. The 
government owned the problem, and could control the technology. Those 
days are over.

NSA has struggled with the change in culture. But you have no choice but 
to be concerned about the security of commercial products the government 
does not control, Sager said. We changed the way we behaved to gain the 
trust and cooperation of the security research community.

But according to Clarke, government has lost an opportunity to make real 
progress in IT security since the release of the National Strategy to 
Secure Cyber Space. In this case, we had high-level awareness that there 
was a problem, Clarke said. President Bush signed off on the strategy 
and there was an understanding among government and industry leaders who 
collaborated on the strategy of the need for the two sectors to 
cooperate. They understood it was not mainly a government problem, he 
said. There was a necessary role for government, but it was a 
private-sector problem, mainly.

However, little progress has been made and some ground has been lost. 
The government has failed to provide a role model for security, as it 
was supposed to under the strategy; federal funding for security 
research and development is down; and the situation probably will get 
worse before it gets better, he said. We need to ask ourselves, why?

No leader

The problem stems from a lack of congressional as well as presidential 
leadership, coupled with a lack of executive initiative in the private 
sector, Clarke said.

The government didnt want to regulate, he said, and did not feel 
competent to regulate in technical areas. Without government leadership, 
corporations wont move unless forced by some catastrophe. What motivates 
people at the corporate level is disaster.

Meanwhile, there has been progress from companies that see a 
relationship between the security of their products and their business 
success. Corporate giants such as Microsoft, Cisco and Oracle often are 
cited as examples of companies that have improved their own software 
development processes. Government has had a hand in encouraging those 
improvements by creating standards and putting business pressure on the 

NSAs set of security guidelines for Windows NT in 1999 was just one of 
14 sets of such guidelines for that operating system. But the complexity 
of Windows 2000 made the job too difficult for NSA to handle alone.

The agency built a cross-agency, public/private partnership with the 
Defense Information Systems Agency, the National Institute of Standards 
and Technology (NIST), the SANS Institute and the Center for Internet 
Security to develop guidelines.

This led to a standard default configuration for the OS required by the 
Air Force, which eventually was adopted by the Defense Department and 
civilian agencies. NSA now is partnering with other agencies in 
developing a number of open programs such as the Common Vulnerabilities 
and Exposures scheme and the Security Content Automation Program housed 
at NIST.

But Clarke said effective leadership could have accomplished much more 
by now. Service providers could be filtering malware before it hits the 
local-area network and end user, he said. There could be better and more 
encryption, a secure Domain Name System and a parallel network structure 
to provide priority service during emergencies.

However, there are bright spots. Companies are beginning to reduce the 
scope of vulnerabilities in their software and IPv6 is slowly moving 
forward, especially in Asia. But Clarke is not optimistic about the 
governments ability to make use of the new version of IP, which is 
supposed to be enabled on agencies backbone networks by next June.

I am very skeptical that the government is going to do the things it 
says it will do, because it hasnt over the last five years, he said.

What can be done to improve the situation? The next administration might 
appoint someone to lead the effort, he said. Certainly not me, because 
Im not going back in.

Until that leadership comes, Clarke is afraid that nothing short of a 
catastrophe will focus adequate attention on these issues.

In the absence of the financial pain caused by a cyberdisaster, the only 
thing thats going to get anybody to do anything is regulation, Clarke 
said. And thats too bad, but when you have a market failure, you have to 
have regulation.

Copyright 1996-2007 1105 Media, Inc. All Rights Reserved.

Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 

Site design & layout copyright © 1986-2014 CodeGods