By Jill R. Aitoro
January 29, 2008
A system that focuses on network protection will do little to fend off
intruders, industry sources argue in response to reports that President
Bush will allocate $6 billion in his 2009 budget to a cybersecurity
project meant to shield communication networks from terrorists and
The Wall Street Journal reported  on Monday that the administration
plans to reduce access points from the Internet to government networks
and better monitor intrusion attempts through the use of network sensors
that detect suspicious patterns. Once implemented in government, the
program would be adapted to private networks. Former officials told The
Wall Street Journal that the $6 billion would be the initial part of a
potential total cost of $30 billion over seven years.
"Five years ago we needed this type of investment," said Howard Schmidt,
president and CEO of R&H Security Consulting, former vice chairman of
the president's Critical Infrastructure Protection Board and special
adviser to the White House on cyberspace security. "Is it enough? Only
time will tell, but it seems to be a good amount to deal with some of
the issues we've identified for the past five years."
Between 2003 and 2006, nearly 63,000 cyber incidents were reported to
the Homeland Security Department's U.S. Computer Emergency Readiness
Team, established in 2003 to coordinate defense against and responses to
cyberattacks. Of that total, nearly 4,000 were policy violations, more
than 4,600 malware findings and a nearly 42,000 were phishing attempts.
"No matter what form the attacks take, they continue to come," DHS
cybersecurity and communications assistant secretary Greg Garcia said in
Federal officials remain mum on details of the alleged cybersecurity
system, which one DHS spokesperson called speculation until the
president rolls out the budget.
Some argue that a focus on intrusion detection alone is not enough.
"Securing a network is not the same as securing the data," Schmidt said.
"When you look at securing government systems, there needs to be a lot
of restructuring of the architecture -- legacy hardware, software and
applications. None of those were designed to operate in the high threat
environment we operate in today. All of that needs to be ripped out and
Chris Wysopal, chief technology officer at Burlington, Mass.-based
application security vendor Veracode, compares a network-centric
security strategy with posting police on every corner in a dangerous
neighborhood, but failing to fix shoddy locks on the houses.
"Intrusion protection and detection machines are only one piece of the
puzzle," Wysopal said, pointing to the source of data -- the operating
systems and applications themselves -- as equally if not more
vulnerable. "When I install software of unknown pedigree, I'm installing
a lot of risk. That mentally has to change. I need to know who wrote it,
how it was written, and what standards or tests it passed to show it has
the quality I need. We wouldn't plug in electrical equipment if it
wasn't UL listed because we couldn't ensure our business, but software
often slips right in. The bar doesn't have to be super high, but there
needs to be a bar."
A number of recent incidents magnified the need to better secure public
and private networks. On Jan. 16, a CIA official confirmed attacks 
on computers that operate power companies worldwide, causing at least
one widespread electricity outage. And in March 2007, researchers from
the Idaho National Laboratories simulated a cyberattack on a power
plant's control system that caused a generator to self-destruct. The
test prompted a hearing  held by the House Homeland Security
Subcommittee on Emerging Threats, Cybersecurity, and Science and
Technology to examine vulnerabilities in the computer networks that run
water, power and chemical plants.
In 2006, DHS ran the first national cyber exercise to determine how the
federal government and corporations running the nation's infrastructure
would respond to a cyberattack. Security experts criticized  the
exercise, saying it failed to determine basic procedures such as whether
the federal government or the private sector was in charge of issuing
Subscribe to InfoSec News