Cyber Terror
Jul 1, 2008 12:00 PM, By Michael Fickes
Failing marks for the government's network security
What is the government doing to secure its networks against hackers, terrorists and nation states? Under FISMA, the OMB grades security systems protecting networks across the U.S. government. The most recent report card (for 2007) found disturbing trends in the nation's cyber security programs.
While departments and agencies such as the Justice Department and Social Security received A+ grades, DHS got a B+, up from a D the year before. The Department of Defense (DoD) came away with a D-, up from an F in 2006. The Departments of Interior, Treasure and Agriculture all received Fs for 2007 and 2006.
Perhaps most disturbing of all, the Nuclear Regulatory Commission, which manages and tracks the security plans for the nation's nuclear power generating plants, got an F.
Why can't the government secure its networks?
There are many reasons that networks are not well secured. Perhaps the most unnerving explanation is mistakes.
“Recently a nuclear power plant in Georgia (U.S.) had connected its secure network to its administrative network,” says a security software vendor familiar with the case. “Because maintenance activities were taking place on the administrative network, a security feature triggered a plant shutdown. While the security feature eventually worked, for some period of time the secure network was connected to the administrative network which was connected to the Internet and vulnerable to attack.”
Bad as it sounds, mistakes happen, even if an agency does its best to eliminate them. So in addition to trying to secure networks against attacks, it is also important to cultivate the ability to respond and recover.
“While we are developing strategies to defend against different types of attacks, attackers are creative and smart,” says Ron Ross, project leader for the FISMA implementation project in the computer security division of NIST. “Their goal is always to stay a step ahead of us.”
According to Ross, no matter how sophisticated the defenders get, those on the offense will occasionally break in. His recommendation is to develop contingencies.
A federal agency responsible for managing sensitive systems can expect to be attacked, he says, adding that a certain percentage of attacks will succeed. In measuring the effectiveness of security programs, it is important to think beyond how many attacks have been warded off, but also to consider when an attack succeeds: Can the agency absorb it, respond, recover and continue to do business?
“This is a new mindset,” Ross says. “People have the idea that they want a bulletproof system. But that's not how security works. Right now in government, we're implementing a cyber defense concept called defense-in-depth. This is about layers of security controls.”
Ross describes 17 layers of controls that fall under three headings: technical, operational and managerial. Technical controls include layers such as network access control systems and encryption. Managerial controls include policies and procedures as well as risk assessments. Operational controls cover physical access control systems, security officers and video surveillance.
Operational controls also include contingency plans that lay out what to do after a successful attack. What steps must be taken to respond, recover and continue the agency's work? “And the contingency plans must be practiced and drilled regularly,” Ross says. “In the military, they say ‘we fight as we train.’ That means that when they go into combat they are executing as they've been trained. We have to drill contingency plans for cyber attacks with the same goal in mind: When it happens, we know what to do.”
IP security technologies
Technologies designed to defend networks are growing more capable.
One of the initiatives the federal government is working on today to improve network security is an OMB mandate called TIC, short for Trusted Internet Connection. “A large federal agency might have a half million IP devices from desktop computers to phones and servers, all connected through the Internet back to a central office or into university research laboratories and vendors offices,” says Michael Markulec, COO of Lumeta Corp. in Somerset, N.J.
Want to use this article? Click here for options!
© 2010 Penton Media Inc.
Story Missing Your Link?
Is the above story missing a link? Is it missing a link to your company, or your website? If this is the case please e-mail us and we'll add the link as soon as possible. Thank you!
advertisement
This Month in Govt. Security
