[iwar] [fc:Congress.Takes.Up.Cybersecurity]

From: Fred Cohen (fc@all.net)
Date: 2002-01-16 12:21:12
Next message: Fred Cohen: "[iwar] [fc:Troops.to.Guard.Groundhog.Punxsutawney.Phil]"
Previous message: Fred Cohen: "[iwar] [fc:Thornberry.Renews.Call.For.Transformed.National.Security.Infrastr.ucture]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200201162021.g0GKLCh29973@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Wed, 16 Jan 2002 12:21:12 -0800 (PST)
Subject: [iwar] [fc:Congress.Takes.Up.Cybersecurity]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Congress Takes Up Cybersecurity 
By Patience Wait, Washington Technology, 1/15/2002
<a href="http://www.newsbytes.com/news/02/173655.html">http://www.newsbytes.com/news/02/173655.html>

Lawmakers are moving to beef up the nation's information security with
legislation that would provide more than $870 million over five years
for a wide range of research and education grants. 
The Cybersecurity Research and Development Act, introduced Dec. 4 by
Rep. Sherwood Boehlert, R-N.Y., and five co-sponsors, would allocate
more than $560 million to the National Science Foundation. With the
funds, the foundation would administer grants for educational programs
and basic research on computer security techniques and technologies,
including authentication, encryption, intrusion detection, reliability,
privacy and confidentiality. 
The legislation also would provide nearly $310 million to the National
Institute of Standards and Technology for research on cybersecurity. 
Boehlert, who chairs the House Science Committee, said the government
spends only $60 million a year on cybersecurity research and
development, a "woefully inadequate investment." 
The bill comes amid criticism by some industry officials that the Bush
administration is not devoting sufficient resources to cybersecurity. 
"What we're hearing out of the administration is there needs to be
better management of resources, not more dollars," said Harris Miller,
president of the Information Technology Association of America,
Arlington, Va. "I just don't agree with them." 
Miller said many agency chief information officers privately say they
need more funding to carry out needed cybersecurity programs. 
However, he expressed confidence that Richard Clarke, the president's
special adviser on cybersecurity, will persuade the administration to
allocate the necessary funding. 
"I'm almost certain there's going to be a supplemental appropriations
bill next year," he said. As the House takes up the Boehlert bill, Rep.
Tom Davis, R-Va., chairman of the House Government Reform subcommittee
on technology and procurement policy, is preparing legislation to
reauthorize the Government Information Security Reform Act, a law
requiring federal agencies to report on their security measures. 
This time, however, Davis plans to give the law some teeth by requiring
NIST to establish minimum IT standards that all agencies must follow.
The legislation also would require the Office of Management and Budget
director to make the standards compulsory and binding: No more could
there be a waiver of standards set by the Computer Security Act. 
On the Senate side, Sens. Bob Bennett, R-Utah, and John Kyl, R-Ariz.,
have co-sponsored legislation, the Bennett-Kyl bill, that would create
limited exemptions to antitrust and Freedom of Information Act laws to
encourage companies to share information regarding cyber-attacks and
security measures with each other and with the government. 
Many companies have been reluctant to cooperate and share with the
government for fear that attorneys interested in litigation could get
access to the information through the Freedom of Information Act.
Companies also were reluctant to share information with each other,
fearing prosecution under anti-trust laws. 
Bill Poulos, a vice president of the U.S. government group for
Electronic Data Systems Corp., Plano, Texas, said the goals of the
Bennett-Kyl bill are at the top of his priority list. Companies should
be shielded from frivolous lawsuits, he said, "when companies are coming
together to enhance the security of the entire community, private and
public." Poulos also said the government needs to provide more funding
for cybersecurity. 
"Up until Sept. 11, there just wasn't much going on," he said. "There
was legislation and some requests in the budget, but it was peanuts."
Industry experts said training, internal processes and technology are
major areas to be addressed in tightening cybersecurity. 
As much as 75 percent to 80 percent of cybersecurity threats come from
inside a network, said Mike McConnell, vice president of Booz-Allen &amp;
Hamilton and former director of the National Security Agency. 
Much of that risk would be minimized if companies and agencies trained
employees in the need for security and protocols. Other aspects of the
human element include forming a vulnerability assessment team, an
investigation component and an emergency response plan. 
Organizations also must put into place policies that ensure all
processes, such as acquisition and integration of new hardware and
software, are done with an eye on maintaining information security, risk
assessment and performance measurements. 
Then comes the investment in the right technology. "Most security
technology purchases have been reactive," said Arthur Coviello,
president and chief executive officer of RSA Security Inc., Bedford,
Mass. A particular kind of security measure is put in place only after
there has been some kind of damage or attack of that type. 
The need for improved security among the agencies was highlighted by
recent report cards issued by Rep. Stephen Horn, R-Calif., chairman of
the House Government Reform subcommittee on government efficiency,
financial management and intergovernmental relations. Information
compiled for Horn and released Nov. 9 indicates that 16 out of 24 major
federal agencies - including the departments of Defense, Commerce,
Justice, Treasury and Transportation - received an F. 
"We are facing an awareness that the Internet is at risk," said Sen.
George Allen, R-Va., at a press conference Dec. 11. Allen said the
Energy Department headquarters detected 2,800 viruses in inbound e-mail
during the week of Sept. 10-14; the next week, more than 29,000 viruses
were found. 
"It could be a coincidence," Allen said. "I think there could be more to
it." However the government and private sector attack the problem of
information security, many in Congress and industry contend the
administration must step up its spending on research, education and
training. 
"There has been a disconnect between government rhetoric on security and
the allocation of resources," ITAA's Miller said. 
Staff Writer Patience Wait can be reached at pwait@postnewsweektech.com. 
Reported by Washington Technology, http://www.washingtontechnology.com

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Troops.to.Guard.Groundhog.Punxsutawney.Phil]"
Previous message: Fred Cohen: "[iwar] [fc:Thornberry.Renews.Call.For.Transformed.National.Security.Infrastr.ucture]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST