Internaut: Fiddling while the Net burns
We should all give thanks to the Government Accountability Office for confirming what many government IT managers already knew. When it comes to cybersecurity, a lot of federal agencies talk a good game but fail to turn that talk into a viable action plan.
IT managers have had a few weeks now to digest the GAO's critical report, 'Emerging Cybersecurity Issues Threaten Federal Information Systems' [go to www.gcn.com
and enter 434 in the GCN.com/box]. Most would agree that the time for more formidable action has come.
The issue of emerging threats is much larger than the spam, phishing and virus problems outlined in the report. The real challenge is finding a way to deal with the unknown, meaning the emerging attacks that IT managers won't see coming until they appear.
Phishing was a great example. Such schemes, which often entail simple pop-up windows disguised to look like official dialog boxes used for entering data into government or financial systems, still fool many people.
But how do we coordinate a viable effort to combat emerging threats across all of government? It turns out there's already a starting point.
In February 2003, the Homeland Security Department issued a report called the National Strategy to Secure Cyberspace [www.gcn.com, GCN.com/435]. It included 53 suggestions for protecting homes, businesses and institutions. Unfortunately, many suggestions in the report were never acted on. The report also addressed emerging threats by concluding that strategic analysis of attack methods was needed to fight the problem. But real analysis and execution is lacking, according to a May 2005 GAO report highlighting DHS' failure to protect critical infrastructure [www.GCN.com/427].
So assuming few people are heeding the advice of the nation's cybersecurity experts, here's a crib sheet of what needs to be done:
1) DHS' National Cyber Security Division needs to step up to the plate and start providing governmentwide guidance on combating threats. Boosting the budget for strategic analysis wouldn't hurt either.
2) Agencies need to refine and agree to a set of best practices that could be implemented governmentwide. Because emerging threats can take many forms, the best practices themselves should remain flexible.
3) Cybersecurity managers must set out specific rules governing the types of incidents that should be reported. Threat reports should trigger immediate feedback to systems managers on how to handle the incident.
4) Agencies should be required to monitor all CERT security alerts, plus relevant notices from DHS cybersecurity managers. If configuration changes or patches are needed, there should be enforceable deadlines for implementing the fixes. Weekly reports could be required, listing each alert.
5) There needs to be more outreach and training programs to make all employees aware of cybersecurity threats and proper countermeasures.
6) Finally, where's the national plan for Internet recovery? If the nation's networks are brought down, how, and how soon, could they be brought back online?
Not exactly an exhaustive list of 56 pointers, but maybe agencies just need to bite off only what they can chew. Or they should walk before they run. Whatever the clich', it's time to put words into action. A little progress now would go a long way to securing networks tomorrow.Shawn P. McCarthy is senior analyst and program manager for government IT opportunities at IDC of Framingham, Mass. E-mail him at