The U.S. government isn't doing enough to encourage cybersecurity efforts outside of government, and it still needs to get its own cybersecurity house in order, two security experts testified before a U.S. House committee Thursday.
Cybersecurity law might do nothing more than bury bureaucrats in paperwork, one witness at a House Government Reform Committee hearing testified. Another witness called on the government to push for more-secure Internet standards and for government agencies to separate their Web sites from networks containing security-sensitive information.
The U.S. government's Federal Information Security Management Act, passed in 2002 in an attempt to require U.S. agencies to track their cybersecurity efforts, "runs the risk of becoming a paperwork exercise," said Kenneth Ammon, president of NetSec, a managed security service vendor.
FISMA's emphasis on certification and accreditation ("C and A") of computer systems can help ensure security measures are built into new software, but it's difficult to apply certifications to existing or older legacy systems, Ammon told the committee.
"Due to the fact that FISMA compliance and progress have been equated with how many systems have gone through C and A, agencies are slavishly spending scarce resources to produce C and A reports that merely state the obvious--the legacy system is not secured and can't be effectively secured--in page after gory page of detail," Ammon said.
The U.S. government also should push for Internet tools like BGP (Border Gateway Protocol) and the DNS (Domain Name System) to include authentication security, added F. Thomson Leighton, chief scientist at Akamai Technologies, a distributed computing platform vendor. Both BGP and DNS lack authentication, making it relatively easy for hackers to redirect Internet traffic, he said.
The government's role should be to push for new security measures on the Internet, Leighton added. "I don't think we need to replace the Internet to make it more secure," he said. "It's improving the protocols. The federal government can certainly play an important role in highlighting the problem."
Committee chair Tom Davis (R-Virginia) asked if those protocols would be improved quickly if the federal government doesn't push for it. Leighton answered no.
Public vs. Private
Leighton also called on U.S. government agencies to separate their public-facing Web sites from other government networks. "As long as the public is invited into government networks in order to access Web sites, it is difficult, if not impossible, to prevent unwanted access by hackers," he said. "Today you have a situation where there are many government networks where they have thousands of public-facing Web sites sitting side-by-side with sensitive government services. That's a recipe for problems."
Asked by Representative John Tierney (D-Massachusetts) if separating public Web sites from sensitive government networks would reduce public access to government information, Leighton said the opposite would happen. With government Web sites running on their own networks, those sites would be faster to access and cheaper to maintain, Leighton said.
When the committee chair put the question of separating Web sites from other government data to Karen Evans, the administrator of the Office of Electronic Government in the White House Office of Management and Budget, she said it may work on an agency-by-agency basis. "That is an alternative that's considered," she said. "If that is the best solution for that agency's cybersecurity posture, as well as meeting the mission that they need, that's an alternative that's evaluated."
The testimony from Leighton and Ammon was important, Davis said, but he wasn't sure it made him feel better about U.S. cybersecurity efforts. "The worst case could be yet to come, and we could have a potential digital Pearl Harbor," Davis added. "My primary goal today is one of public education. Computer security can no longer be relegated to the back benches of public discourse, or remain the concern solely of governments or corporate technology experts."
But Evans, the new chief information officer for the White House OMB, defended government cybersecurity efforts, saying the Department of Homeland Security's Federal Computer Incident Response Center (FedCIRC) works with law enforcement agencies and private industry to promote incident reporting and cross-agency sharing of data about vulnerabilities. Forty-seven U.S. agencies subscribe to FedCIRC's Patch Authentication and Dissemination Capability, she added.
"OMB is committed to a federal government with resilient information systems," Evans said. "The dangers posed by the Internet must not be allowed to significantly affect agency business processes or disrupt services to the citizen."