Agencies face a range of new challenges in protecting their systems against attack

Agencies face a range of new challenges in protecting their systems against attack

By Richard W. Walker

GCN Staff

The year 2000 date code repair effort is over, and everybody's riding high. All went well. All those long hours paid off. The systems were fixed and there were no major glitches. Congressman Horn is off your back. You're feeling pretty good.

Now here's a reality check, delivered by Don Hagerling, the Treasury Department's security wonk: 'Our infrastructures are wide open to attack. Because we're so heavily dependent on them, we've essentially painted a bull's-eye around them.'

The United States, unlike most countries, is almost entirely dependent on automated systems, said Hagerling, program manager for information security at Treasury.

'We've gone the extra mile in automating our systems,' he said. 'Because of our relative affluence, we've integrated automation more into our lifestyle. For example, virtually all of the traffic lights in any major city are part of a networked distribution system. In most of the rest of the world, traffic lights just run on timers.'

The recent wave of denial-of-service attacks on big commercial Web sites, including those of Yahoo Inc., Inc. and e-Bay Inc., sent a shudder through the federal government.

Where to look for more information
This list of government and organization Web sites can help you keep current with security developments.

''the Computer Emergency Response Team Coordination Center

''the Federal Incident Response Capability

''the National Infrastructure Protection Center

' 'Infosyssec, the Security Portal for Information Systems Security Professionals, started by students at Algonquin College

''the site run by Barn Owl Software focuses on myths surounding computer viruses

''the SANS Institute

''Symantec Corp.'s AntiVirus Research Center Department

''the Justice Computer Department Crime and Intellectual Property Section

'The federal government is a huge target and, just like with the private sector, the bigger and tougher the challenge it is to get into, the more fun it is for the hackers,' said a security advocate on the Hill.

To some extent, computer security is viewed as the new year 2000 problem, presenting technical and management challenges that will require a similar, coordinated response across the government to get the job done.

But for many security experts, the similarities end there.

'With Y2K it was pretty clear what the problem was,' said Bruce McConnell, director of the United Nations' International Year 2000 Coordination Center and former chief of information policy and technology at the Office of Management and Budget. 'Security is not that simple. There's no obvious methodology, it's more diffused and there's no deadline.'

Another difference is the absence of a sense of urgency on dealing with the problem'although that may be changing in the wake of the recent assaults on commercial sites. Part of the problem is that security specialists haven't been able to make the business case for security, McConnell said.

'You cannot sell security as security,' he said. It has to be sold as part of something else, such as electronic commerce, he said.

Andrew Boots, a champion for information privacy and security at the Education Department's Office of Student Financial Assistance, agreed. 'My view is that everybody from chief information officers to chief financial officers to chief executives has known that we've got an information security challenge,' he said. 'They've just never been able to make a business case that we need to make the investment that we're going to have to make.'

That point raises the issue of funding: There isn't any. At least there's no specific or emergency funding for security as there was for year 2000 work.

Don Hagerling

That's where the year 2000 effort can provide a model, Hagerling said.

'We knew about the year 2000 problem for 20 years,' he said. 'From the day people first started writing code, we knew it was going to expire, that it was going to be a problem. But nobody had the resources to try to address the problem until we set aside emergency funding and specific funding for the Y2K effort. Right now there is an unwillingness to take that same approach with security.'

He added, 'We cannot even find the resources to find out what our vulnerabilities are, let alone the resources it's going to take to fix those vulnerabilities or deploy the countermeasures.'

Aside from the complex business and political factors surrounding it, security itself is elementary, Hagerling said.

'You figure out what you've got and who should have access to it and you try to enforce those decisions,' he said. 'But this equation means you have to know who you're dealing with. If you don't have strong assurance, if you don't know who you're dealing with, you don't have security.'

Bruce McConnell

Public-key infrastructure technology is widely seen as the solution to the authentication challenge.

'Right now, X.509-based digital certificate authentication is the only answer,' Hagerling said. 'It's not like there's a close second.'

Technological solutions, however, are useless without an overall policy and management strategy.

'You can throw all the technology in the world at the problem, but unless you've decided what information you want to protect and how to protect it, the technology isn't going to figure that out for you,' Hagerling said.

'The dirty little secret of computer security is that the tools don't solve the problem,' said Alan Paller, research director of the SANS Institute in Bethesda, Md. 'The tools actually provide a false sense of security. The reality of what solves the problem is training systems administrators to systematically protect their systems.'

As more agencies build virtual private networks, perhaps security consciousness will rise. In a recent GCN survey of federal systems administrators, 57 percent of those who did not have a VPN said they planned to deploy one in the next one to three years.

'Security is at the heart of making a VPN something you can use,' IBM Corp. networking consultant Laura Knapp told an audience at the recent ComNet in Washington.

One final thing. Rep. Steve Horn (R-Calif.) may be off your back, but only temporarily. He's getting ready to assess agency progress on security.

'We're gearing up now, post-Y2K, to get into security,' said a spokesman at a meeting of Horn's Government Reform Subcommittee on Government Management, Information and Technology.

Committee staff members are determining how agencies would be graded on security and are meeting with security specialists at OMB, the General Accounting Office and the Chief Information Officers Council, as well as in the private sector.

'Developing the criteria for assessing security efforts is another ball game,' the spokesman said. 'It's clear that it's a different ball game than Y2K, which was an event. Security is an hourly challenge.'

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.