Bombings keep security hot topic

Tightened security against terrorist attacks at federal buildings and facilities will
not translate into an immediate strengthening of security in government systems, leading
security experts predicted.

In fact, the barricades placed around the Washington Monument to block car bombs in the
wake of the embassy bombings last month in Africa have little correlation to the
cyberworld, experts said.

“You can’t really build a wall around systems that is as good as the wall
around the White House,” said Alan Paller, director of research for the Sans
Institute, a security research organization in Bethesda, Md.

“There is no way” the government can amass an army of people to counter
cyberterrorism, he said.

“In the federal government, the first line of defense are your system
administrators and historically those positions have been collateral duties,” said
Mark A. Boster, the Justice Department’s deputy chief information officer and
chairman of the CIO Council’s Security Committee. “Our system administrators
don’t have the technical expertise that is necessary today.”

Unlike the barricades around the Washington Monument, the best security is built into
systems as they are designed, said David V. Keyes, senior manager for KPMG Peat Marwick of
New York. He served as the director of the Transition Office for the President’s
Commission on Critical Infrastructure Protection.

“To retrofit security into those systems is harder and more expensive than it is
to integrate it into a long-term strategy,” Keyes said.

Boster agreed. “We have got to get the program people to not only be more aware of
what the risks are but to take them seriously and demand that their information technology
people build security into their day-to-day operations,” he said.

Dorothy Denning, a computer science professor at Georgetown University and a noted
security expert, said the most secure systems are those with the fewest links. “The
problem is, then you can’t be so connected,” she said.

Before the recent bombings, agencies already were supposed to be taking a hard look at
systems security. Presidential Decision Directive 63 requires agencies to complete an
initial vulnerability assessment by November. [GCN, June 29, Page 6].

Furthermore, Boster said, stronger security is a vital part of the architecture
required under the IT Management Reform Act.

“We’ll start moving to a more standard or common infrastructure across the
organization,” he said. “That’s going to be the platform on which you can
build a meaningful security program.”

Keyes suggested that managers leverage their year 2000 work to improve systems
security. “A lot of people are so distracted by year 2000 issues that they think
infrastructure assurance is unrelated when, in fact, they go hand in glove,” Keyes

In fact, year 2000 work may have given agencies an edge: They have identified their
most critical systems and can build security plans based on that knowledge, the experts

“You need to do it in the place that you need it most,” Paller said.
“Isn’t it wonderful that everyone has already gone to the trouble of creating an

The CIO Council Security Committee also plans to offer independent assessments of
agency security implementation, Boster said, perhaps through a venue resembling the
Information Technology Resources Board, which provides peer review of systems.

The volunteer security group might evaluate security programs and suggest ways to boost
systems safeguards, Boster said.  

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.