Inattention to Security: Will 'Dollarizing' Make a Difference?

BY JOHN MAKULOWICHAnyone browsing documented reports over the last decade about the importance of information systems security and the need to beef up efforts, for instance, in civilian and defense federal units, would hardly be surprised by the current revelations of security lapses at the Department of Energy.What is surprising — if not alarming given society's deepening reliance on the Internet as well as the widening interconnection of distribution systems — is the continuing inattention paid to security issues by all except the most dedicated engineers and computer scientists. End users, network administrators and the academic community also are guilty of this inattention. The situation does not augur well for the future, according to experts.The reason for the inattention could not be the difficult terrain of information systems security. By now, it should be familiar ground. It is well-covered, for example, in the following:•The 1990 Report by the National Research Council (NRC), "Computers at Risk: Safe Computing in the Information Age." •The 1994 Report by the Joint Security Commission, "Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence." •The General Accounting Office brief published in September 1998, "Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk." •The 1999 NRC publication, "Trust in Cyberspace."On the Defense Department side alone, one can trace concern back at least five years. In the report, "Redefining Security," the Joint Security Commission opened its chapter on systems security with these words:"Information systems security is the discipline that protects the confidentiality, integrity and availability of classified and unclassified information created, processed, stored and communicated on computers and networks. "The commission believes it is imperative that the defense and intelligence communities focus more attention on information systems security. It, together with personnel security, is one of two security disciplines that the commission believes needs more attention and recommends additional requirements that will increase costs."On the civilian side, in testimony on the 1998 General Accounting Office report made to the Senate Committee on Governmental Affairs ("Information Security: Strengthened Management Needed to Protect Critical Federal Operations and Assets"), Gene Dodaro, assistant comptroller general in GAO's accounting and information management division, noted: "Attacks on and misuse of federal computer and telecommunication resources are of increasing concern, because these resources are virtually indispensable for carrying out critical operations and protecting sensitive data and assets."As examples, he cited:•Weaknesses at the Treasury Department that place over $1 trillion of annual federal receipts and payments at risk of fraud and large amounts of sensitive taxpayer data at risk of inappropriate disclosure;•Weaknesses at the Health Care Financing Administration that place billions of dollars of claim payments at risk of fraud and sensitive medical information at risk of disclosure; •Weaknesses at the Defense Department that affect operations such as mobilizing reservists, paying soldiers and managing supplies. Moreover, the war-fighting capability is dependent on computer-based telecommunications networks and information systems.The newest version of the familiar refrain, spotlighting the Defense Department, is the March 22 National Council Report, "Realizing the Potential of C4I: Fundamental Challenges." It sings the same old song. In short, while senior officials and executives in the limelight agree much needs to be done, very little on the ground and among staff is actually getting done.In the guarded words of the report: "The perception at the highest levels of leadership that the information systems security problem is big, urgent and real must translate quickly into actions that can be observed in the field."Putting it bluntly, James McGroddy, chair of the committee that produced the NRC report and former senior vice president of IBM Research, said: "The Defense Department is building a nervous system, C4I [command, control, communications, computers and intelligence], to make its muscle [physical capabilities] more effective. However, it is grossly inattentive to protecting that nervous system from an information warfare attack. We simply don't have a [Defense Department] culture that puts a high priority on the information front vs. the physical front. The Defense Department does not implement anything that is close to best practices in the civilian sector." (See the time line, right.)In the NRC report, which covers interoperability, process and culture as well as information systems security, the committee reached two major findings on security. The first is that protecting defense information and information systems is a pressing national security issue. The second is that the Defense Department response to the information systems security challenge has been inadequate.A major point here is not simply that federal computer systems are more susceptible to cyberattacks. It is that these systems and the information they contain are part and parcel of the major focus of the military's strategy for the future.As the NRC committee noted: "The committee believes that information systems security — especially in its operational dimensions — has received far less attention and focus than the subject deserves in light of a growing U.S. military dependence on information dominance as a pillar of its war-fighting capabilities."Based on the two findings, the committee gave seven recommendations, the implementation of which they assigned to senior executive positions in the Department of Defense. The recommendations were:•Designate an organization to provide direct defensive operational support to commanders.•Ensure adequate information system security tools are available to defense civilian and military personnel, that all are properly trained in using these tools, and that all are held accountable for their information system security practices.•Fund a program of frequent, unannounced penetration testing of deployed C4I systems.•Mandate the use of network and configuration management tools and strong authentication mechanisms.•Direct appropriate defense agencies to develop news tools for information security.•Direct that a significant portion of tests and exercises involving C4I systems be conducted under the assumption they are connected to a compromised network.•Explain the consequences for U.S. military capabilities that arise from a purely passive defense of its C4I infrastructure and in exploring policy options to respond to these challenges.From his vantage point as NRC computer science and telecommunications board senior scientist and study director for the report, Herbert Lin sees the main lesson as the realization that the Defense Department can do a lot better by using what is already known, and that improving security is not so much new technology but better applications of best practices that people already know.Echoing the comments of McGroddy, Lin said: "We think the Defense Department was taking some steps, but those steps were not, in any sense of the word, adequate. Expressions of concern at the high levels were not matched by a corresponding sense of urgency on the ground. Those in the field were just not taking information systems security seriously."Lin points out that good information systems security begins with the culture, regardless of organization or social group. And therein lies a difficulty. We tend to assign security matters to one office or individual. The attitude among staff then becomes that security is solely the responsibility of the specific department or individual."Security is almost by definition an issue that cannot be confined to one office. You need assurance from the top, and that increases the likelihood that those down the line will follow. Security is fundamentally a distributed responsibility, and people must be held accountable," said Lin.He added that a new issue in the report was included in the last security recommendation on the risk of the Defense Department adopting an approach that relies on a purely passive defense and the subsequent unavoidable weaknesses in the system."We wanted to stress that there are important national security policy consequences, to energize a national debate on that subject," said Lin.Underlying Lin's meaning is that the Defense Department has little role in apprehending and prosecuting a determined attacker beyond that of offering technical assistance in locating and identifying that person.As the report notes: "... the Defense Department is legally prohibited from taking action beyond identification of a cyberattacker on its own initiative, even though the ability of the United States to defend itself against external threats is compromised by attacks on its C4I infrastructure, a compromise whose severity will only grow as the U.S. military becomes more dependent on the leverage provided by C4I."XXXSPLITXXX-The National Research Council report, "Realizing the Potential of C4I: Fundamental Challenges," identified a number of organizations with responsibility for information systems security within the Department of Defense. Among them are:Set up in January 1998, this program seeks to change how the Defense Department views information assurance, from a technical issue to an operational readiness issue. The program will review new tools (such as better systems) and techniques (including vulnerability testing) to monitor and deter attacks on defense information systems. Its overall mission is to offer a common framework and central oversight to ensure the protection and reliability of the Defense Information Infrastructure.Located in the Information Technology Office (Information Survivability) and in the Information Systems Office (Information Assurance), DARPA is responsible for much of the Pentagon's effort in research and development for information security. The agency coordinates its efforts with the National Security Agency and Defense Information Systems Agency through a memorandum of understanding. The objectives of the Information Assurance Program include architecture and infrastructure issues; preventing, deterring and responding to attacks; and managing security systems. The program's goal is to create the security foundation for the Defense Information Infrastructure and future military C4I (command, control, communications, computers and intelligence) information systems.The agency develops cryptographic and other information systems security techniques to protect classified and unclassified U.S. communications and computer systems associated with national security. Over the years, the agency has expanded its mission to include information security. Its Information Systems Security Organization is responsible for information protection activities and houses information security expertise.DISA manages the Defense Information Infrastructure. The INFOSEC Program Management Office coordinates information security activities for DISA with technical and product support, as well as with INFOSEC education within the Defense Department. The Information Assurance Division develops security policy and processes and sets up training and awareness programs. DISA also hosts the Joint Task Force on Computer Network Defense. This group works with the unified military commands, the military services and other Defense Department agencies to defend their networks and systems against intrusions and other attacks.The center is responsible for direct tactical and technical analytical support for command and control warfare to operational commanders. It supports the integration of operations security, psychological operations, military deception and electronic warfare and destruction throughout the planning and execution phases of operations. It maintains specialized expertise in command and control warfare systems engineering, operational applications, capabilities and vulnerabilities.XXXSPLITXXX-To address concerns in the Office of the Secretary of Defense about network security, John Hamre, deputy secretary of defense, issued a memorandum recently with time lines calling for near-term network security actions on defense networks NIPRNET and SIPRNET.All network e-mail systems must incorporate appropriate warning banners. Any system not bannered will be shut down until banners are incorporated.Detailed plans are due for listed tasks; progress updates are due every 30 days.All network Web access systems must incorporate appropriate warning banners. Any system not bannered will be shut down until banners are incorporated.The chief information officer will establish a vulnerability analysis and assessment team to conduct best-practice spot checks on defense networks: provide training, as appropriate; ensure proper network configuration control is maintained; ensure approved anti-virus software is installed and updated; ensure all access to the Internet is through authorized NIPRNET connections.All passwords must meet Defense Department guidance and will be changed every 90 days (10-day sliding window accepted) at minimum.The chief information officer will review and revise as necessary defense policies and procedures on the use and control of floppy disks and other portable magnetic and electronic media.All remote access to defense networks will operate across encrypted virtual private network channels.The chief information officer will present alternatives for outsourcing the operation of the single agency manager while retaining management oversight in the Defense Department.Guidance to be issued on the use of laptops during foreign travel.Fortezza-enabled [hardware-based authentication via card] DMS applications will be used for all organizational messages. Encryption will be activated for all Fortezza-enabled addressees.All defense traffic will enter and leave the Pentagon via a high-assurance firewall capable of monitoring message traffic.All defense e-mail applications will be hardware-security-token enabled. Encryption will be activated for all capable addressees.