Funding for federal IT security is too fragmented, Sen. Bennett says

Funding for federal IT security is too fragmented, Sen. Bennett says

By Christopher J. Dorobek
GCN Staff

Congress and government agencies are woefully ill-prepared to supply cybersecurity, officials said.

Reducing the threat to the nation's critical infrastructure will require a focused commitment, a central fund and trained workers, they said.

Congress does not yet have a structure to cut across committee jurisdictions. 'We get so wrapped up in specific committee assignments that we don't think horizontally,' said Sen. Robert F. Bennett (R-Utah), at the recent Industry Advisory Council's Executive Leadership Conference.

Working on it

Agencies do not yet have an adequate cyberwarfare structure in place, said Richard A. Clarke, a special assistant to the president and national coordinator for security, infrastructure protection and counterterrorism at the Critical Infrastructure Assurance Office.

The year 2000 problem has been well served by having John A. Koskinen, chairman of the President's Council on the Year 2000 Conversion, as an advocate, Clarke said, and a similar cybersecurity czar will be needed to spearhead the efforts to protect critical infrastructures. The battle, however, will also require money, he said.

It is uncertain, however, whether there will be a budget contingency fund for information security similar to the $3.2 billion that was allocated for the year 2000 problem, Bennett said. That will largely depend on whether Congress adequately supports information security.

If cybersecurity is to be taken seriously, it will require funding similar to that provided for the year 2000 problem, Clarke said. 'We will not get that level of effort out of the normal budget,' he said. 'We need to think about a single initiative'a single fund'to secure federal government computers.'

But there has to be a more streamlined way of approving those funds; cybersecurity budget requests are scattered among many committees, he said. The recent $39 million request [GCN, Oct. 4, Page 1] has gone to 12 subcommittees, he said. 'It is difficult to deal with what is a holistic problem in that kind of truncated way,' Clarke said.

Bennett, however, said any new cybersecurity funds would likely be scattered throughout the budget. 'It will be fragmented unless we can create a center of focus in Congress around this question,' he said.

Cybersecurity is a whole new world and it will take time to get oriented in that world, Bennett said.

'Those who say that information warfare is just another weapon to be treated as another weapon system are contributing the vulnerability,' he said. 'We must recognize that this is where we live now and take the appropriate steps to protect ourselves.

'We need to understand the kind of vulnerability we're facing, and we need to be determined that we're going to deal with it,' Bennett said.

Bennett said his concerns for IT security came out of his experiences with the year 2000 problem. 'As I got deeper into it, I started to realize how interconnected we are. I realized how vulnerable we were to someone who would wish us ill and would shut us down, not by accident, but on purpose,' he said.

The networked world has created incredible advantages, he said. But with those benefits come new vulnerabilities.

Cyberwarfare is different from traditional war, Bennett said. When traditional war planners did their work, they started with a map that would highlight where attacks could take place. The United States has also been protected from attacks by two vast oceans.

Those protections disappear in the new world, he said.

'When we think about information warfare, we should not be thinking about it as a new weapon in the evolution of warfare, although it clearly is that,' Bennett said. 'We should be thinking of it as ' a place where all the old protective walls are gone. It is a place where vulnerabilities can hit us anywhere and where they can hit us literally at the speed of light.'

It also requires a new defense mechanism, he said. Planners of systems attacks will likely ignore the military and target the critical infrastructures such as the power grid, telecommunications, transportation or financial systems, he said.

Clarke said the administration is also working to make agency cybersecurity a model. Part of that is attracting new IT workers by offering college scholarships in exchange for time served in federal employment.

'To fix the federal government, the first thing we need is people,' he said.

Agencies have been stepping up their focus on IT security. Mary Ellen Condon, director of the information management and security staff for the Justice Department, said Justice chief information officer Stephen R. Colgate recently ordered that the security of all department systems be certified by Dec. 31, 2000.

The department has found common deficiencies, including inadequate security awareness training, ineffective training of system administrators and weak implementation of technical controls, Condon said. '

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.