The Air Force's deputy CIO last week called on the software industry to deliver products that are more secure out of the box than they are now.
Back in June, at a hearing before the Joint Economic Committee, Sen. Robert F. Bennett (R-Utah) suggested that the next terrorist attack on the United States would be cyberwarfare.
'That would produce more economic destruction in the long term,' he said.
But Lawrence K. Gershwin, the CIA's national intelligence officer for science and technology, replied with chilling foresight, 'Terrorists want to see something on television' [GCN, July 2, Page 8].
In spite of the physical damage done by the Sept. 11 attacks, Bennett has reiterated his warnings about information security.
'It is still vitally important that we pay attention to how vulnerable we are in the information age,' he said.
The extent of that vulnerability was underscored late last month in General Accounting Office testimony.
'Federal agencies have serious and widespread computer security weaknesses,' Joel C. Willemssen, GAO's managing director of IT issues, told the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.
Willemssen said a 1998 presidential directive calling for public-private cooperation in protecting critical infrastructure has had only limited success. Eight agencies have established liaisons with corresponding industrial sectors, and six information sharing and analysis centers have been set up. But antitrust restrictions and possible public disclosure of proprietary information have hampered data sharing, Willemssen said.
Security blind spot
Bennett called those concerns a serious security blind spot. Along with Sen. Jon Kyl (R-Ariz.) he has introduced a bill that would give limited exemption from the Freedom of Information Act and antitrust laws to companies that voluntarily share security information.
The bill, the Critical Infrastructure Information Security Act of 2001, would let companies request confidentiality for security information they submit to one of 13 designated agencies.
The antitrust exemption would let competitors cooperate on security matters. The exemption would not apply to efforts to organize boycotts, divide markets or fix prices.
Although the act addresses specific cybersecurity problems, Willemssen noted several pervasive weaknesses in government information systems. Since 1996, he said, GAO has found recurring problems in six areas:
These problems result from lack of a national plan for cyberprotection, Willemssen said.
Ronald L. Dick, director of the National Infrastructure Protection Center, the multiagency law enforcement group housed at the FBI, told the subcommittee of the center's accomplishments.
'For the past three years, the NIPC was working tirelessly to build the broad partnerships we have today, to mobilize great talent, to break down the old ways of doing business, and to forge ahead with a united sense of government and private-sector purpose,' he said.
But NIPC has had only limited success, GAO concluded. It has cooperated in investigations and provided analysis and warnings of cyberthreats, but the warnings have come after threats were already under way. NIPC has not developed strategic capabilities to predict threats and issue timely warnings, and little information is being shared between public and private sectors, GAO said.
The failures grow out of a lack of generally accepted methodology for analyzing threats, a lack of industry-specific data, prolonged leadership vacancies at NIPC and staff shortages, GAO concluded.
NEXT STORY: Report: Feds face $75m in IT costs