Security experts preach the basics
Security experts preach the basics
There are no silver bullets for information assurance, experts inside and outside government said at recent conferences in Washington.
Awareness, planning, layers of defense and plenty of redundancy'all are necessary to secure information and keep systems operating. Agencies that had learned those lessons were in better shape than others to weather the events of Sept. 11.
Preparations for the year 2000 transition helped keep the Federal Reserve System running after Sept. 11, said Stephen R. Malphrus, CIO for the Fed's Board of Governors.
'In the financial sector, that was a dress rehearsal for what was to come,' Malphrus said at a homeland defense training conference presented by Market Access International. 'Short of nuclear war, I can't think of anything that would have a greater impact on the financial system than what happened Sept. 11.'
Even so, equity markets reopened the Monday following the attacks. On the Saturday before, the Fed's payment, clearing and settlement systems were tested with scripts developed for year 2000 transition.
Year 2000 preparations also taught the Fed that security should not be left to IT people.
'It has to be dealt with at the level of business risk,' Malphrus said. 'The people who run the business lines are responsible for decisions on information security.'
The Navy's deputy CIO for e-business and security, David Wennergren, said the lesson of year 2000 was 'management by embarrassment. Nobody wanted to be the last to get their systems fixed.'
Speaking at an information assurance conference sponsored by E-Gov, he said annual reviews called for in the Government Information Security Reform Act provide the same kind of incentive for security.
The Navy-Marine Corps Intranet, which Wennergren called 'a very large seat management contract,' still is in the early stages of deployment. Nevertheless, it helped the Navy weather the attack on the Pentagon that destroyed 70 percent of Navy office space there, Wennergren said.
'On Sept. 12 we had a lot of people with no place to work,' he said. NMCI contractor Electronic Data Systems Corp. brought more than 800 notebook computers, more than 350 desktop PCs, and enough switches, routers and cabling to build a network from scratch for 700 people at a new site by the following Monday.
The Defense Department learned its cybersecurity lesson in 1998 during the Solar Sunrise intrusions, which were eventually traced to three teenagers in California and Israel, said Michael Jacobs, the National Security Agency's director of information assurance.
'That was a wake-up call for DOD,' Jacobs said at the homeland defense conference.
Although the lesson was not completely learned'a recent Congressional report card gave Defense an F for security'it helped redefine the issue.
'National security is no longer only classified things,' Jacobs said. Traditional distinctions between defense and intelligence communities and the private sector no longer apply.In the right direction
Government is not organized for adequate information assurance across the public-private divide, but the President's Critical Infrastructure Protection Board is a step toward an integrated and consistent security architecture, Jacobs said.
Despite the Fed's preparedness, it learned some hard lessons from Sept. 11, Malphrus said.
'One area where we are vulnerable is telecommunications,' he said. Voice communication was difficult the day of the attack, and more lines to Fed backup sites will help avoid that problem in the future.
'Layers of redundancy are very important,' Malphrus said. In addition to multiple backup sites, the Fed has two Internet service providers to keep its Web site up in case one is out of commission. Also, the number of IT systems deemed critical went up in the wake of the attacks.
Mark Fabro, president of Terrasec Corp. of Toronto, said information assurance is not a technology problem. He outlined some ways for agencies to close the holes:Security needs to be a separate line item in budgets.
Infrastructure vulnerabilities should be assessed as a whole, not piecemeal.
Security professionals need to communicate and exchange ideas rather than keep quiet about vulnerabilities.
Feedback on security policy and awareness is essential to know what works and what doesn't.
Complacency is deadly because more attacks could come at any time.