Agencies face a range of new challenges in protecting their systems against attack

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
How Dash Cams Reduce Risk and Deliver Clear ROI for the U.S. Public Sector
Presented By Carahsoft | Samsara
Download Now
Delivering Efficiency in Cyber Risk Management for Federal Agencies with a Risk Operations Center
Presented By Qualys
Download Now
By GCN

By GCN

|

The year 2000 date code repair effort is over, and everybody's riding high. All went well. All those long hours paid off. The systems were fixed and there were no major glitches. Congressman Horn is off your back. You're feeling pretty good.

The year 2000 date code repair effort is over, and everybody's riding high. All went well. All those long hours paid off. The systems were fixed and there were no major glitches. Congressman Horn is off your back. You're feeling pretty good.Now here's a reality check, delivered by Don Hagerling, the Treasury Department's security wonk: 'Our infrastructures are wide open to attack. Because we're so heavily dependent on them, we've essentially painted a bull's-eye around them.'The United States, unlike most countries, is almost entirely dependent on automated systems, said Hagerling, program manager for information security at Treasury.'We've gone the extra mile in automating our systems,' he said. 'Because of our relative affluence, we've integrated automation more into our lifestyle. For example, virtually all of the traffic lights in any major city are part of a networked distribution system. In most of the rest of the world, traffic lights just run on timers.'The recent wave of denial-of-service attacks on big commercial Web sites, including those of Yahoo Inc., Amazon.com Inc. and e-Bay Inc., sent a shudder through the federal government.'The federal government is a huge target and, just like with the private sector, the bigger and tougher the challenge it is to get into, the more fun it is for the hackers,' said a security advocate on the Hill.To some extent, computer security is viewed as the new year 2000 problem, presenting technical and management challenges that will require a similar, coordinated response across the government to get the job done.But for many security experts, the similarities end there.'With Y2K it was pretty clear what the problem was,' said Bruce McConnell, director of the United Nations' International Year 2000 Coordination Center and former chief of information policy and technology at the Office of Management and Budget. 'Security is not that simple. There's no obvious methodology, it's more diffused and there's no deadline.'Another difference is the absence of a sense of urgency on dealing with the problem'although that may be changing in the wake of the recent assaults on commercial sites. Part of the problem is that security specialists haven't been able to make the business case for security, McConnell said.'You cannot sell security as security,' he said. It has to be sold as part of something else, such as electronic commerce, he said.Andrew Boots, a champion for information privacy and security at the Education Department's Office of Student Financial Assistance, agreed. 'My view is that everybody from chief information officers to chief financial officers to chief executives has known that we've got an information security challenge,' he said. 'They've just never been able to make a business case that we need to make the investment that we're going to have to make.'That point raises the issue of funding: There isn't any. At least there's no specific or emergency funding for security as there was for year 2000 work.That's where the year 2000 effort can provide a model, Hagerling said.'We knew about the year 2000 problem for 20 years,' he said. 'From the day people first started writing code, we knew it was going to expire, that it was going to be a problem. But nobody had the resources to try to address the problem until we set aside emergency funding and specific funding for the Y2K effort. Right now there is an unwillingness to take that same approach with security.'He added, 'We cannot even find the resources to find out what our vulnerabilities are, let alone the resources it's going to take to fix those vulnerabilities or deploy the countermeasures.'Aside from the complex business and political factors surrounding it, security itself is elementary, Hagerling said.'You figure out what you've got and who should have access to it and you try to enforce those decisions,' he said. 'But this equation means you have to know who you're dealing with. If you don't have strong assurance, if you don't know who you're dealing with, you don't have security.'Public-key infrastructure technology is widely seen as the solution to the authentication challenge.'Right now, X.509-based digital certificate authentication is the only answer,' Hagerling said. 'It's not like there's a close second.'Technological solutions, however, are useless without an overall policy and management strategy.'You can throw all the technology in the world at the problem, but unless you've decided what information you want to protect and how to protect it, the technology isn't going to figure that out for you,' Hagerling said.'The dirty little secret of computer security is that the tools don't solve the problem,' said Alan Paller, research director of the SANS Institute in Bethesda, Md. 'The tools actually provide a false sense of security. The reality of what solves the problem is training systems administrators to systematically protect their systems.'As more agencies build virtual private networks, perhaps security consciousness will rise. In a recent GCN survey of federal systems administrators, 57 percent of those who did not have a VPN said they planned to deploy one in the next one to three years.'Security is at the heart of making a VPN something you can use,' IBM Corp. networking consultant Laura Knapp told an audience at the recent ComNet in Washington.One final thing. Rep. Steve Horn (R-Calif.) may be off your back, but only temporarily. He's getting ready to assess agency progress on security.'We're gearing up now, post-Y2K, to get into security,' said a spokesman at a meeting of Horn's Government Reform Subcommittee on Government Management, Information and Technology.Committee staff members are determining how agencies would be graded on security and are meeting with security specialists at OMB, the General Accounting Office and the Chief Information Officers Council, as well as in the private sector.'Developing the criteria for assessing security efforts is another ball game,' the spokesman said. 'It's clear that it's a different ball game than Y2K, which was an event. Security is an hourly challenge.'

By Richard W. Walker

GCN Staff













Where to look for more information
This list of government and organization Web sites can help you keep current with security developments.

'www.cert.org'the Computer Emergency Response Team Coordination Center

'www.fedcirc.com'the Federal Incident Response Capability

'www.fbi.gov/nipc/index.htm'the National Infrastructure Protection Center

'www.infosyssec.org/infosyssec/index.html 'Infosyssec, the Security Portal for Information Systems Security Professionals, started by students at Algonquin College

'www.kumite.com/myths'the site run by Barn Owl Software focuses on myths surounding computer viruses

'www.sans.org'the SANS Institute

'www.symantec.com/avcenter'Symantec Corp.'s AntiVirus Research Center Department

'www.usdoj.gov/criminal/cybercrime'the Justice Computer Department Crime and Intellectual Property Section



















Don Hagerling













Bruce McConnell
























NEXT STORY: Security: the next frontier

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.