Return-Path: <sentto-279987-1861-1000438638-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 13 Sep 2001 20:38:14 -0700 (PDT) Received: (qmail 22213 invoked by uid 510); 14 Sep 2001 03:37:42 -0000 Received: from n29.groups.yahoo.com (216.115.96.79) by 204.181.12.215 with SMTP; 14 Sep 2001 03:37:42 -0000 X-eGroups-Return: sentto-279987-1861-1000438638-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by b05.egroups.com with NNFMP; 14 Sep 2001 03:37:19 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_1); 14 Sep 2001 03:37:18 -0000 Received: (qmail 91988 invoked from network); 14 Sep 2001 02:08:02 -0000 Received: from unknown (10.1.10.26) by m8.onelist.org with QMQP; 14 Sep 2001 02:08:02 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 14 Sep 2001 02:08:01 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA20127 for iwar@onelist.com; Thu, 13 Sep 2001 18:56:29 -0700 Message-Id: <200109140156.SAA20127@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 13 Sep 2001 18:56:29 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:In-Wake-Of-Attacks,-Feds-Review-Cyber-Security] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit In Wake Of Attacks, Feds Review Cyber-Security By Brian Krebs, Newsbytes, 9/13/2001 <a href="http://www.newsbytes.com/news/01/170024.html">http://www.newsbytes.com/news/01/170024.html> One day after terrorist attacks shook the nation's capital and the heart of the country's financial world, the U.S. federal government is taking another look at weaknesses that invite attacks on federal computer systems. And so far, it doesn't look good, according to the federal government's chief auditing agency. Speaking at a Senate Governmental Affairs Committee hearing today, Joel Willemssen, managing director of information technology for the US. General Accounting office, said recent reports and events indicate that efforts to beef up the cyber-security of federal systems are not keeping pace with the growing threats. Willemssen noted that despite repeated reports chronicling many of the same vulnerabilities, critical operations and assets at many agencies continue to be highly vulnerable to computer-based attacks. "Despite the importance of maintaining the integrity, confidentiality, and availability of important federal computerized operations, federal computer systems are riddled with weaknesses that continue to put critical operations and assets at risk," he said. In August, the GAO reported that "significant and pervasive weaknesses" may have jeopardized Commerce Department systems, many of which are considered critical to national security and public safety. In March, the GAO said continued security problems at the Department of Defense's Information Assurance Program. A similar report later conducted by internal investigators at the DoD was inconclusive on those points because officials were unable to accurately determine the status of information security relationships across the agency. The GAO said many agencies have uncovered additional weaknesses in their computer networks due in large part to a law passed last year requiring all federal agencies to conduct vulnerability tests on their systems at least once a year. These results "don't necessary mean security is getting worse, but that agencies are becoming more aware of their particular vulnerabilities," Willemssen said. All federal agencies are expected to submit the results of those annual tests to the Office of Management and Budget by the end of the week. The OMB plans to develop a summary based on the test results in a report to Congress later this year. The GAO report also took aim at the National Infrastructure Protection Center (NIPC), the FBI's cyber-security arm, calling the agency's plans for further developing its analytical capabilities "fragmented and incomplete." The GAO also said relationships between the NIPC the FBI, and the National Security Council remained unclear as to who had direct authority for setting NIPC priorities and providing NIPC oversight. The FBI and the NIPC also have made only very limited progress in developing an inventory of the nation's most critical - and vulnerable - infrastructures, the GAO said. The report also questioned the NIPC's role in InfraGard, a program that allows the FBI and NIPC to securely share cyber-security information with companies in the private sector. The program was created to open lines of communications between the federal government and companies that operate many of the nation's most critical infrastructures, such as the banking, telecommunications, transportation and energy sectors. The GAO said that of the four information sharing and analysis centers (ISACs) recently created to exchange attack and vulnerability data within individual industries and with the federal government, the NIPC has so far only developed a relationship with one - that belonging to the electric power sector. "The NIPC's dealings with two of the other three centers primarily consisted of providing information to the centers without receiving any data in return," the report noted. A number of companies involved in the information sharing networks have said they are reluctant to share data about weaknesses in their networks with the federal government without guarantees that companies would not face antitrust charges or other liabilities as a result. Reps. Jim Moran, D-Va., and Tom Davis, R-Va., have introduced legislation that would exempt participating companies from antitrust liability and shareholder lawsuits. Sens. Robert Bennett, R-Utah, and Jon Kyl, R-Ariz. are expected to introduce a somewhat similar bill later this month. In May, the GAO caused a stir when it told Congress that most of the 81 Internet security alerts issued by the NIPC over the last three years pertained to attacks already underway. The GAO said the NIPC's ability to forecast attacks on Internet sites and services has been hindered by staff shortages, a lack of a common government-wide vocabulary, and process for defining a cyber-attack. A copy of the GAO report is on the Web at: http://www.gao.gov ------------------------ Yahoo! Groups Sponsor ---------------------~--> Do you need to encrypt all your online transactions? Secure corporate intranets? Authenticate your Web sites? Whatever security your site needs, you'll find the perfect solution here! http://us.click.yahoo.com/wOMkGD/Q56CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:42 PDT