Industry experts question $6 billion Bush cybersecurity plan
Intrusion detection not enough to thwart hackers, they say.
A system that focuses on network protection will do little to fend off intruders, industry sources argue in response to reports that President Bush will allocate $6 billion in his 2009 budget to a cybersecurity project meant to shield communication networks from terrorists and hackers.
The Wall Street Journal reported on Monday that the administration plans to reduce access points from the Internet to government networks and better monitor intrusion attempts through the use of network sensors that detect suspicious patterns. Once implemented in government, the program would be adapted to private networks. Former officials told The Wall Street Journal that the $6 billion would be the initial part of a potential total cost of $30 billion over seven years.
"Five years ago we needed this type of investment," said Howard Schmidt, president and CEO of R&H Security Consulting, former vice chairman of the president's Critical Infrastructure Protection Board and special adviser to the White House on cyberspace security. "Is it enough? Only time will tell, but it seems to be a good amount to deal with some of the issues we've identified for the past five years."
Between 2003 and 2006, nearly 63,000 cyber incidents were reported to the Homeland Security Department's U.S. Computer Emergency Readiness Team, established in 2003 to coordinate defense against and responses to cyberattacks. Of that total, nearly 4,000 were policy violations, more than 4,600 malware findings and a nearly 42,000 were phishing attempts. "No matter what form the attacks take, they continue to come," DHS cybersecurity and communications assistant secretary Greg Garcia said in October 2007.
Federal officials remain mum on details of the alleged cybersecurity system, which one DHS spokesperson called speculation until the president rolls out the budget.
Some argue that a focus on intrusion detection alone is not enough.
"Securing a network is not the same as securing the data," Schmidt said. "When you look at securing government systems, there needs to be a lot of restructuring of the architecture -- legacy hardware, software and applications. None of those were designed to operate in the high threat environment we operate in today. All of that needs to be ripped out and replaced."
Chris Wysopal, chief technology officer at Burlington, Mass.-based application security vendor Veracode, compares a network-centric security strategy with posting police on every corner in a dangerous neighborhood, but failing to fix shoddy locks on the houses.
"Intrusion protection and detection machines are only one piece of the puzzle," Wysopal said, pointing to the source of data -- the operating systems and applications themselves -- as equally if not more vulnerable. "When I install software of unknown pedigree, I'm installing a lot of risk. That mentally has to change. I need to know who wrote it, how it was written, and what standards or tests it passed to show it has the quality I need. We wouldn't plug in electrical equipment if it wasn't UL listed because we couldn't ensure our business, but software often slips right in. The bar doesn't have to be super high, but there needs to be a bar."
A number of recent incidents magnified the need to better secure public and private networks. On Jan. 16, a CIA official confirmed attacks on computers that operate power companies worldwide, causing at least one widespread electricity outage. And in March 2007, researchers from the Idaho National Laboratories simulated a cyberattack on a power plant's control system that caused a generator to self-destruct. The test prompted a hearing held by the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology to examine vulnerabilities in the computer networks that run water, power and chemical plants.
In 2006, DHS ran the first national cyber exercise to determine how the federal government and corporations running the nation's infrastructure would respond to a cyberattack. Security experts criticized the exercise, saying it failed to determine basic procedures such as whether the federal government or the private sector was in charge of issuing responses.