Directive will help shore up security, experts say
- By William Jackson
- Sep 07, 1998
The directive will guide agencies
in securing against cyberattacks, CIAOs Paul Rodgers says.
Defense Information Systems Agency networks that failed a well-publicized 1996 security
test would not pass it today either, DISA personnel acknowledged at a General Services
Administration seminar in Washington last month.
Sixty-five percent of the 1996 intrusions were successful, and only 4 percent of
networks detected the attacks. Defense Department managers reported 1 percent of the
attacks to DISA.
But DOD could improve its network security as a result of a presidential initiative to
safeguard the nations critical infrastructures within five years, said Mark Fabro, a
former hacker and now director of professional services at Secure Computing Corp. of San
It is going to help you, Fabro told the federal audience. Its a
The initiative, spelled out in May in Presidential Decision Directive 63, establishes a
Critical Infrastructure Assurance Office (CIAO) and a complex web of groups and committees
to implement a National Infrastructure Assurance Plan.
Federal agencies have until Nov. 18 to submit a systems protection plan to the Critical
Infrastructure Coordination Group.
The president directed agencies to reach an initial security level by May 22, 2000, and
be fully secure three years later.
The effort will combat what Paul Rodgers, a senior CIAO executive, called endless
conflict with physical threats and cyberthreats from criminals and terrorists.
Decision Directive 63 calls for voluntary cooperation from the private sector, which
delivers most of the nations telecommunications, power, transportation, finance,
water and emergency services.
Government agencies are supposed to lead by example, implementing the best practices to
secure their own systems. So far, however, the government has not set a very good example,
the speakers at the GSA seminar said.
Fabro described a tool kit for hacker attacks, much of which has been around for years
in easy-to-execute programs available on the Internet.
Im talking about stupid stuff, Fabro said. But it is current,
and it works. People havent bothered to fix the damn problems.
The directive grew out of a study last year by the Presidents Commission on
Critical Infrastructure Protection. The study found no immediate crisis but warned that
vulnerabilities are increasing.
The president has named Richard Clarke, a member of the National Security Council, as
the national coordinator for security, infrastructure protection and counterterrorism. He
is also chairman of the Critical Infrastructure Coordination Group.
CIAO will support Clarkes commission in implementing the National Infrastructure
The plan calls for eight government agencies to work with industries in developing
comprehensive security plans. They are the Environmental Protection Agency, Federal
Emergency Management Agency and the departments of Commerce, Energy, Health and Human
Services, Justice, Transportation and Treasury.
Four other agencies will address special areas. Justice will deal with law enforcement
and internal security, the CIA with foreign intelligence, the State Department with
foreign affairs and DOD with national defense.
William Jackson is a Maryland-based freelance writer.