Government Steps Up Information Insurance Efforts
Government Steps Up Information Assurance Efforts<@VM>Cybersecurity Shove<@VM>Training is Vital<@VM>Year 2000 Lessons<@VM>Technology Advances<@VM>PKI Takes Off<@VM>Critics: Big Plans Call for Big Bucks<@VM>Safeguard Program Contract Winners
By Nick Wakeman
Governments at all levels are embracing a brave, new electronic world that encompasses electronic commerce, better services to citizens, telecommuting, virtual private networks, online procurement and a plethora of other ideas.
While these concepts hold out the hope of a better, cheaper and more efficient government, they also open the door wider to hackers, thieves, terrorists and other troublemakers.
"We have become a very information-dominated society. We are doing great things, but it is a very double-edged sword," said Tony Valletta, vice president of command and control systems at SRA International Inc., Fairfax, Va., and a former acting assistant secretary for command, control, communications and intelligence at the Defense Department.
Indeed, several commercial Web sites experienced that downside first-hand in recent weeks. Amazon.com, eBay, CNN.com and E-Trade all came under attack the week of Feb. 7. Hackers were able to cripple the sites by flooding them with so many requests for information that legitimate users could not access the sites.
Attorney General Janet Reno announced that a criminal investigation is under way. Department of Defense sites, such as the National Security Agency, also have been subject to attacks.
Such attacks illustrate Valletta's double-edged sword: Open access is necessary to provide services and run operations efficiently, but the same openness creates vulnerabilities.
Increasingly, agencies rely on public communication networks in order to meet their missions and to give citizens and businesses greater access to services and information. Agencies also must have the ability to move data among offices scattered around the country.
Just a few years ago, security concerns centered on relatively simple things like spoof e-mails, but "now we are seeing agencies talking about security problems that impact the fundamental way they do business," said John Menkart, director of government sales for Netscape Communications Corp., Mountain View, Calif.
The federal government has undergone a cultural shift, said Phil Lecombe, senior vice president for cyberassurance at Veridian Inc., Alexandria, Va. Lecombe is the former staff director for President Clinton's Commission on Critical Infrastructure Protection.
The leadership at most agencies recognize their operations are tied inextricably to their information and communications systems, Lecombe said. "But we still need to understand the implications of what that means," he said.
There has been a concentrated push by the Clinton administration to raise awareness throughout government about the need for information assurance and how critical it is to operations.
On May 22, 1998, Clinton released Presidential Decision Directive 63, which told agencies to identify what their critical infrastructures are and how to protect them from terrorists, hackers and other attacks.
In response, the General Services Administration began its Safeguard Program in March 1999. The program is a series of blanket purchase agreements awarded to 27 prime contractors to provide a wide range of information assurance services to government agencies. Each BPA is worth up to $250 million over four years. (See box on page 34.)
In January, Clinton announced he was increasing his budget request for fiscal 2001 for information assurance by 15 percent, from $1.7 billion in fiscal 2000 to $2 billion.
The market research firm Federal Sources Inc., McLean, Va., projected last year that information assurance spending would double from $1.2 billion in 1998 to $2.4 billion in 2003.
Actual spending on information assurance can be hard to ferret, because more and more of the spending is embedded in IT projects, according to company executives.
"Every one of the contracts we have won in the last year has had security elements, even if it wasn't a contract for security services," said Gail Phipps, executive vice president for enterprise information systems at CACI International Inc., Arlington, Va.
"Security is no longer an ancillary, nice-to-have kind of thing. It is essential," Lecombe said.
Along with pressing for additional funding, the Clinton administration released Jan. 7 its National Plan for Information Systems Protection, Version 1.0. It is essentially the executive branch's first stab at creating a plan to defend the nation's information technology systems.
The plan focuses on government IT systems, but future versions will include the systems that the banking, finance, energy and transportation industries rely on to operate, said John Tritak, director of the Critical Infrastructure Assurance Office, which is spearheading the effort for the administration.
"The need to assure delivery of critical services over our infrastructures is not only a concern for the national security and federal law enforcement communities, it is also a growing concern for the business community, since the security of information infrastructure is a vital element of e-commerce," said Tritak on Feb. 1 in testimony before the Senate Judiciary Committee's subcommittee on technology, terrorism and government information.
Clinton's latest cybersecurity plan builds on Presidential Decision Directive 63, asking agencies to prepare for and prevent cyberattacks and to develop plans for detecting and responding to such attacks.
Agencies must go beyond simply putting in firewalls and intrusion detection devices, though technology is a critical component, company officials said. The start to a solution often is decidedly low-tech, with many systems integrators beginning their security assessments with interviews and surveys of agency personnel.
Questions focus on how often passwords are changed, whether agency officials write them down (not a good thing), and if they know security policies and procedures.
Training personnel is an important element of any information assurance plan and is one area where Clinton plans to increase funding.
"Training has to go all the way down through all your users," said Michael Gibbons, a senior manager for KPMG Consulting, New York.
Users must understand security risks, said Gibbons, a former FBI agent. "Awareness training is very important. You have to understand why you don't use a dial-up modem when you are connected to your network," he said.
A key part of a security analysis is determining what needs protection.
"You have to identify your critical process, what you can ill afford to lose," said John Thomas, vice president and deputy general manager for services at AverStar Inc., a Burlington, Mass., systems integrator. "You have to look for cause-and-effect relationships."
Everything on a network needs to be mapped out, said Chuck Roth, vice president of federal sales and marketing for Network Associates Inc., a Santa Clara, Calif., company that makes network management tools. "You have to know where all the points of entry to your systems are," he said.
The Y2K software conversion scare help raise the level of awareness about information security throughout government, and highlighted where government operations were vulnerable, officials said.
"Y2K really positioned people well to understand the potential security problems they have and to focus on them," Menkart said. "People are starting their look at security from a position of knowledge."
The date code problem also showed how well government and industry can work together to solve a problem, said Chris Kelly, vice president of the infotech team at Booz-Allen & Hamilton Inc., a systems integrator and consulting company in McLean, Va.
While Y2K "sucked up a lot of money," it leaves behind building blocks for sharing information, he said.
"Y2K may have offered us some new hope and some new models for the future," Lecombe said.
Veridian and Mitre Corp. of Bedford, Mass., helped the White House track cyberattacks by managing the National Infrastructure Center on Cyber Assurance, a White House effort set up for the year 2000 date-code change.
The center monitored potential attacks as the calendar clicked over from 1999 to 2000. There was high-level government concern that hackers would use the date change as a cover for attacks, Lecombe said.
Veridian collected reports from companies that manage networks for other companies. Groups, such as Internet Operators, System Administration and Network Security Institute and the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, also supplied data to Veridian, which then shared it with Y2K officials at the White House center.
Lecombe said it was the first time this kind of information was collected in one place from so many sources. "That was a model of cooperation that never existed before," he said. Because the center was a free, volunteer effort by industry, the model could not survive over the longer term, but it "showed what could be done," he said.
While policies and procedures provide the bedrock of information assurance, new technology also is a key component to success. Network automation tools and other technologies will play a crucial role because they can help agencies do more with less in this era of downsizing, industry officials said.
In his fiscal year 2001 budget proposal, which was submitted to members of Congress this month, Clinton proposed $621 million for information assurance research and development efforts.
Automation tools have moved beyond monitoring a network and issuing reports of problems. Today, such software tools automatically take actions, such as shutting out someone from the system when problems arise, said Harry Clarke, general manager of the federal government group for BMC Software Inc., a Houston-based maker of network management software.
Automation tools also can take over tasks, such as managing passwords as people leave an organization, so breaches in security do not occur.
But a lot of these agencies have very limited resources and increasing amounts of applications, Clarke said. "That produces a tremendous burden, and you increase your propensity for errors," he said.
Enter companies like San Diego-based Science Applications International Corp. Its Global Integrity unit has a rapid emergency action crisis team called REACT, which has tools to trace Internet attacks designed to disrupt service to e-commerce sites.
These attacks are one of the single greatest threats facing electronic and business-to-business commerce, because they can completely shut down a Web site, said Morgan Wright, director of Global REACT Services for Global Integrity.
Looking ahead, agencies are likely to increasingly rely on the private sector to provide critical information assurance services because of budget constraints and private-sector expertise, industry officials said.
General Dynamics Corp., Falls Church, Va., is conducting a pilot study for the Defense Department to evaluate the use of commercial vendors to provide high-assurance digital certificates, known as Class IV certificates. These certificates are a key component of public key infrastructure (PKI), which is used to secure transactions of data over the Internet by identifying the users on both ends of a transaction.
The certificates are unique credentials that identify the user and even the computer that user is authorized to use, said Mike Guzelian, business area director for General Dynamics' information security group.
Because Class IV certificates are used to transmit sensitive but not classified data, users must register in person to get their certificate. A smart card or biometric data, such as a fingerprint, also must be used, he said.
The Defense Department is turning to the private sector "because they are looking to reduce development costs and reduce the cost of operations," Guzelian said. The certificates also allow the agency to use public communications networks rather than building its own, another cost savings, he said.
While the pilot is only for 1,000 certificates, the Department of Defense has a need for between 2 million and 4 million certificates, said Guzelian, who declined to estimate the value of that business.
"PKI is really starting to take off across the whole Internet environment," he said. By Nick Wakeman
With the issue of protecting government and commercial information and communications networks from attacks by hackers and terrorists all the rage, one sticking point remains: How do you pay for the technology, services and training needed for such protection?
While President Clinton is proposing to spend more than $2 billion on information assurance initiatives in fiscal 2001, an increase of 15 percent, some company officials worry that the goals laid out in his National Plan for Information Systems Protection, Version 1.0, amount to unfunded mandates. Clinton simply is not asking for enough money for everything he is proposing, some critics said.
"The budget is probably the biggest challenge agencies face," said Michael Gibbons, a senior manager for KPMG Consulting of New York.
Most agencies are finding the funds for information assurance the same way they addressed the year 2000 problem early on: by reprogramming dollars, said Tony Valletta, vice president of command and control systems at SRA International Inc. of Fairfax, Va.
"Hopefully, we'll see some more resources added" during the budget process, he said.
There is a danger of adding security dollars at the expense of funds for operations, said John Thomas, vice president and deputy general manager for services at AverStar Inc. of Burlington, Mass. "What can happen is the operations folks will develop shortcuts that can create more security problems," he said.
President Clinton's budget request seeks:
$25 million for recruiting, training and retaining IT experts;
$5 million for conducting vulnerability analyses and establishing a permanent emergency response team at the Department of Commerce;
$10 million designing a federal intrusion detection network;
$621 million for public-private research and development efforts;
$50 million for an Institute for Information Infrastructure Protection to aid research and development, standards and benchmark development and development of curriculum.
General Services Administration began its Safeguard Program in March 1999. Twenty-seven prime contractors were awarded a series of blanket purchase agreements to provide a wide range of information assurance services to government agencies. Those winning BPAs are:
Analytical Data Systems Engineering Corp.
Booz-Allen & Hamilton Inc.
CACI International Inc.
Collins Consulting Group
Computer Sciences Corp.
Electronic Data Systems Corp.
Electronic Warfare Associates Corp.
General Dynamics Corp.
GRC International Inc.
GTE Federal Network Systems (formerly BBN Corp.)
Kajax Engineering Inc.
L&E Associates Inc.
Lockheed Martin Corp.
Science Applications International Corp.
SRA International Inc.
Trident Data Systems