Lawmakers Seek Better Shields Against Cyberattacks

By Anne Gallagher, Contributing WriterInformation technology officials and lawmakers on Capitol Hill say quick fixes to protect IT products from future cyberattacks will fall short, and instead are calling for a comprehensive solution between industry and government.Such a solution may be a long way off, but in what could be at least a partial response, Sens. Joseph Lieberman, D-Conn., and Fred Thompson, R-Tenn., chairman of the Senate Governmental Affairs Committee, introduced the Government Information Security Act. Their bill (S.1993) is aimed at protecting federal government information systems from such cyberattacks. One provision in the bill gives the Office of Management and Budget additional authority to enhance governmentwide oversight of federal agencies. The bill also requires all federal agencies to have an annual independent audit of their information security programs and practices.The legislation has the support of the IT community and could pass this year, congressional staffers said. The senators plan to hold a series of hearings on the legislative proposal and the issue of computer vulnerability. The first, scheduled for March 2 before the Governmental Affairs Committee, planned to focus on the status of the government's information systems."The simple and frightening fact is, government computer systems are vulnerable to the kinds of attacks e-businesses have been suffering lately, and worse," Lieberman said at a Feb. 23 press conference announcing the bill. "Lax government computer security threatens our national security, our networks, our transportation and emergency services, our banking and finance."During a Feb. 23 Joint Economic Committee hearing on the Senate side, IT officials said the organizations recently attacked by hackers must take responsibility for better security practices. They also urged companies to upgrade their IT products with an eye toward stronger security.Officials from government, industry and academia told Senate lawmakers at the hearing that the recent string of hacker attacks on popular Internet sites should have been anticipated and avoided. Also, IT product design and development must improve to include more adequate protections, such as thicker firewalls, to ward off future attacks, they said."The people running the organizations that were seriously affected by the attacks should have been well-aware of the potential for such attacks and well-prepared for them, but apparently they were not," said Fred Cohen, principal member of the technical staff at Sandia National Laboratories in Albuquerque, N.M. "Despite their claims to the contrary, they could have weathered these attacks, and a lot worse, if they had taken the time and effort to do a good job of information assurance in the first place," Cohen said. "Indeed, this lesson should extend to most parts of the United States government as well as many of the world's critical infrastructure providers."In the case of recent Internet-based "denial of service" attacks, the Computer Emergency Response Team (CERT) from Carnegie Mellon University in Pittsburgh and the FBI had been warning organizations about these attacks for months, Cohen said.Steve Cross, director of the Software Engineering Institute at Carnegie Mellon, said organizations are relying too heavily on silver-bullet solutions, such as firewalls and encryption, to solve security problems."The organizations that have applied a silver bullet are lulled into a false sense of security and become less vigilant, but single solutions applied once are neither foolproof nor adequate," Cross said. "Solutions must be combined and the security situation must be constantly monitored as technology changes and new exploitation techniques are discovered."Despite public concern, there is little evidence that security features of most IT products are improving, Cross added."Developers are not devoting sufficient effort to apply lessons learned about the sources of vulnerabilities," he said. "The CERT Coordination Center routinely receives reports of new vulnerabilities. We continue to see the same types of vulnerabilities in newer versions of products."Technology evolves so fast, vendors concentrate on time-to-market in introducing new products, Cross said, and often minimize that time by placing low priority on security features. "Until their customers demand products that are more secure, the situation is unlikely to change," he added. Meanwhile, engineering for ease of use is not being matched by engineering for ease of secure administration."Today's software products, workstations and personal computers bring the power of the computer to increasing numbers of people who use that power to perform their work more efficiently and effectively," Cross said. "Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers. Unfortunately, it is difficult to configure and operate many of these products securely. This gap leads to increasing numbers of vulnerable systems."In its first full year of operation in 1989, the CERT Coordination Center responded to 132 computer security incidents. In 1999, that number shot to more than 8,000. All told, the CERT staff has handled more than 24,000 incidents and analyzed more than 1,500 computer vulnerabilities, Cross told the panel. The White House Office of Science and Technology estimates an annual cost of $100 million for U.S. losses of proprietary information.To help ward off cyberattacks, CERT is establishing a center to expand its work of collecting and analyzing information assurance data, Cross said. "The goals are to identify trends and to develop detection and mitigation strategies that provide high-leverage solutions to information assurance problems, including countermeasures for new vulnerabilities and emerging threats," he said.