Directive will help shore up security, experts say

The directive will guide agencies
in securing against cyberattacks, CIAO’s Paul Rodgers says.


Defense Information Systems Agency networks that failed a well-publicized 1996 security
test would not pass it today either, DISA personnel acknowledged at a General Services
Administration seminar in Washington last month.


Sixty-five percent of the 1996 intrusions were successful, and only 4 percent of
networks detected the attacks. Defense Department managers reported 1 percent of the
attacks to DISA.


But DOD could improve its network security as a result of a presidential initiative to
safeguard the nation’s critical infrastructures within five years, said Mark Fabro, a
former hacker and now director of professional services at Secure Computing Corp. of San
Jose, Calif.


“It is going to help you,” Fabro told the federal audience. “It’s a
great thing.”


The initiative, spelled out in May in Presidential Decision Directive 63, establishes a
Critical Infrastructure Assurance Office (CIAO) and a complex web of groups and committees
to implement a National Infrastructure Assurance Plan.


Federal agencies have until Nov. 18 to submit a systems protection plan to the Critical
Infrastructure Coordination Group.


The president directed agencies to reach an initial security level by May 22, 2000, and
be fully secure three years later.


The effort will combat what Paul Rodgers, a senior CIAO executive, called endless
conflict with physical threats and cyberthreats from criminals and terrorists.


Decision Directive 63 calls for voluntary cooperation from the private sector, which
delivers most of the nation’s telecommunications, power, transportation, finance,
water and emergency services.


Government agencies are supposed to lead by example, implementing the best practices to
secure their own systems. So far, however, the government has not set a very good example,
the speakers at the GSA seminar said.


Fabro described a tool kit for hacker attacks, much of which has been around for years
in easy-to-execute programs available on the Internet.


“I’m talking about stupid stuff,” Fabro said. “But it is current,
and it works. People haven’t bothered to fix the damn problems.”


The directive grew out of a study last year by the President’s Commission on
Critical Infrastructure Protection. The study found no immediate crisis but warned that
vulnerabilities are increasing.


The president has named Richard Clarke, a member of the National Security Council, as
the national coordinator for security, infrastructure protection and counterterrorism. He
is also chairman of the Critical Infrastructure Coordination Group.


CIAO will support Clarke’s commission in implementing the National Infrastructure
Assurance Plan.


The plan calls for eight government agencies to work with industries in developing
comprehensive security plans. They are the Environmental Protection Agency, Federal
Emergency Management Agency and the departments of Commerce, Energy, Health and Human
Services, Justice, Transportation and Treasury.


Four other agencies will address special areas. Justice will deal with law enforcement
and internal security, the CIA with foreign intelligence, the State Department with
foreign affairs and DOD with national defense.  

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • A forward-located Control and Reporting Center. Air Force photo.

    Data security at the tactical edge: Rightsizing solutions

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above