An address to the RSA Conference this week by Homeland Security Secretary Michael Chertoff is at best underwhelming, and at worst downright frightening.
Chertoff has called for a Manhattan Project for cyber security. He wants Silicon Valley to offer its "best and brightest." The 2009 budget -- which the story notes likely will be changed by the incoming president -- now has billions of dollars on tap to improve the safety of networks used by the government.
The nagging question is simple: When did the government get the news that federal computer networks must be better protected? The safety of these systems was a vital issue in 2000. It got even more important after 9/11, and remains a vital issue now. If Chertoff is calling for a Manhattan Project now, it is logical to assume that someone was not minding the store for the past seven years of the Bush administration.
It also seems unlikely that anything so ambitious will get done as the administration enters its final months.
It's unclear precisely what the linkage is between Chertoff's call for greater attention for cyber security and two Cyber Storm exercises carried out by the federal government. Cyber Storm II, which was held March 10-14, was characterized as a "shakedown cruise" for what was learned in Cyber Storm I.
The Cyber Storms are simulated attacks against a variety of networking infrastructure elements. InternetNews says Cyber Storm II, which focused on transportation and energy at the state, federal and international level, attacked control systems, networks, software and included social engineering. The piece says that participants included 18 federal departments and agencies in nine states, four foreign governments and a number of corporations.
No information is given about the results. The frightening thought is that what the government learned during Cyber Storm II led to Chertoff's call for an ambitious remedial program.
Hopefully, the state of affairs is a bit better than it is portrayed in this screed at Network World. The security analyst essentially says that federal networks are rife with vulnerabilities -- many of which would be handled easily in the private sector -- and that the huge budget the government is preparing to lavish on the problems is the wrong approach. He then worries that the Cyber Security Center is being created in secret and that the NSA will have a big role in it. The writer, perhaps a bit unfairly, criticizes the new head of the center, Rod Beckstrom.
The blogger suggests that instead of throwing money at the problem, poor network security can be confronted by draconian actions such as automatically demoting everyone in the military connected with IT on the rationale that they have failed to secure their networks. Reinstatement of rank, he says, should be contingent on achieving that security. http://www.accountability-central.com/single-view-default/article/fact-sheet-protecting-our-federal-networks-against-cyber-attacks/?tx_ttnews%5BbackPid%5D=1&cHash=53784db199A glimpse into precisely what the federal government claims to be doing is available at Accountability Central. The report, which the site says is authored by DHS, begins by saying that President Bush in early January gave an order to improve cyber security. The order, formerly called National Security President Directive 54/Homeland Security Presidential Directive 23, is said to formalize a set of ongoing processes. DHS is the lead agency in these efforts.
The listing of ongoing efforts includes adding to the U.S. Computer Emergency Readiness Team (US-CERT); expanding the EINSTEIN Program to all federal departments and agencies; and reducing the number of external connections used by government networks.
The increasing reliance of society on the Internet has a frightening downside. Hopefully, the government is serious about confronting vulnerabilities. The timing of the initiative announced by Secretary Chertoff at RSA, however, is anything but reassuring.