After working for years to prevent cyberterrorist attacks on the U.S., the Department of Homeland Security has approached the private sector for help.
At a talk given to information security professionals at the RSA Security Conference , Homeland Security Secretary Michael Chertoff warned that a cyberterrorist attack would hurt the U.S. as much as the attacks on the World Trade Center buildings on Sept. 11, 2001.
Citing the massive denial of service attack that shut down Estonian government computers last year, Chertoff said the Internet enables terrorists and criminals to increase the damage they cause way beyond what they can do on their own.
Holes in the System
The White House Office of Management and Budget (OMB) announced in March that computer security incidents reported last year more than doubled over those in 2006, according to reports from Federal computer network managers.
The total number of security incidents reported by departments and agencies last year to the U.S. Computer Emergency Readiness Team (US-CERT) shot up from about 5,100 in 2006 to almost 13,000 last year.
CERT is the Department of Homeland Security’s monitoring center.
Beefing Up America’s Defenses
It’s not that the U.S. government isn’t trying to do something about security; for some years now, the Department of Defense has been working to strengthen America’s cyber defenses.
In January, President Bush took the next step — he signed a directive launching the National Strategy to Secure Cyberspace, which gave the Department of Homeland Security (DHS) the green light to strengthen computer security in Federal IT installations, which have frequently failed audits conducted by the Government Accountability Office (GAO).
The presidential directive also authorizes the National Security Agency (NSA) to monitor computers in all federal agencies.
The DHS is launching what Chertoff described as a “reverse Manhattan Project” to secure the Web. The Manhattan Project built the then-ultimate offensive weapon, the atom bomb; the reverse Manhattan Project will build the ultimate defensive weapon.
One of the project’s goals is to reduce the number of outside access points to U.S. government systems from a few thousand to about 50, Chertoff said.
Chertoff wants federal agencies to improve their threat detection and response capabilities to a minimum baseline level, and wants to see the federal government develop an early warning system that would halt impending attacks.
The DHS has created a National Cyber Security Center to do this. It will be headed by Internet entrepreneur Rod Beckstrom, who cofounded CATS Software, a derivatives and risk management software company; serves on the board of trustees of the Environmental Defense Fund, and was chairman of Twiki.net, a company that supports TWiki, an open source Wiki.
The beefed-up defense will ensure that federal agencies can respond to cyberthreats around the clock. It should be able to monitor access to federal networks in real time and anticipate forthcoming threats unlike US-CERT’s Einstein system, which can only identify attacks after they happen.
Einstein is an automated process for collecting, correlating, analyzing and sharing computer security information across federal government IT installations.
The government will have to increase its use of accreditation and certification authorities to improve security.
Turning to the Private Sector
Chertoff said he hoped to attract private sector talent from people who have the desire to serve.
He also said the federal government needs to engage with the private sector because private companies secure much of America’s critical infrastructure. When U.S. government network security systems are strengthened, he asserted, the government will share some network security data with the private sector to help the latter keep its systems secure.
Security, Chertoff said, is a shared function.
Industry’s Ahead of the Curve
Chertoff’s remarks that security is a shared function highlighted the mindset among IT security companies.
In his keynote earlier in the day, Symantec Chairman and CEO John W. Thompson called for a strong federal anti-hacker law to replace the piecemeal state-by-state approach that now exists. He also said security is not just a national issue but also a global issue.
Innovative Card Technologies CEO and President Steven R. Delcarson told TechNewsWorld that two-factor authentication will soon become a necessity, even online or to access IT systems in both the government and private enterprise.
Two-factor authentication is where a user provides a password and a second piece of identification to establish his or her identity.
Innovative Card Technologies offers a credit-card sized device with a Public Key Infrastructure chip running an algorithm that generates a one-time pass code randomly that is used in conjunction with a password provided by the user. This is already being used in some government departments to replace existing magnetic-stripe cards.