While other people peruse light or trashy novels on the beach, I spent the summer reading through government reports on cybersecurity.
I was reviewing an GAO report from June 25, 2009 titled, "Cybersecurity, Continued Federal Efforts are Needed to Protect Critical Systems and Information," when I came across some rather shocking declarations buried in the report which are worth calling attention to.
The report assesses cybersecurity status and progress throughout DHS including at the United States Computer Emergency Readiness Team or US-CERT. On its website, US-CERT says that it is, "charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry, and international partners." So in the event of a devastating cyber attack, we all count upon US-CERT to detect the event, collect and share data, and then manage the response effort throughout the government and private sector.
Clearly, this is a central role for event detection, analysis, and response. Unfortunately, US-CERT may not be capable of performing these critical tasks. The GAO Report states that US-CERT:
1. "Has not established a baseline of the nation's critical network assets and operations." Translation: We can't really tell if there is a problem since we don't know what we have or how it normally behaves.
2. "Also provided warnings by developing and distributing a wide array of attack and other notifications; however these notifications were not consistently actionable or timely." Translation: US-CERT is distributing useless information so people will ignore it.
3. "Did not possess the resources to handle multiple events across the nation." Translation: We may be okay if cyber terrorists attack us using the Melissa virus, but if they launch simultaneous attacks across distributed critical infrastructure, we're screwed.
The section concludes with this bureaucratic but frightening statement, "we also concluded that without fully implementing the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission."
Holy cow! Senators Rockefeller and Snowe are working on a cybersecurity bill, President Obama is looking for a cybersecurity coordinator, and at the same time, the GAO is telling us that US-CERT isn't prepared for a cyber attack.
In my humble opinion, Washington's urgency and priorities around cybersecurity have to change quickly. We need action, not political horse trading, lobbying, and legislative agendas. Must we suffer an attack before this happens?
The Leader in Network Knowledge
Let's be clear and honest,
Let's be clear and honest, shall we? (I know this is contrary to the fear mongering effect you were looking for, but run with this, OK?)
The report also makes clear that statutory authorities, or lack thereof, are at the heart of that lack of capability. Fix that, you answer the GAO report.
more statutory authority?
why is "more statutory authority" always the answer to problems the government has enlisted itself to address. What's required, a broader DHS agenda? more investments, better priorities? Or it it technology regulation that you're after?
Response to final question:
Yes. Must we have an accident before a light is put up at an intersection? Yes. It seems to me that the strategy in this country is "wait until the beast gets really big, then try to tackle it."
Bang! Boom! Pow!
As it is with everything ... no one will do anything to fix anything until a major castrophe occurs !!!
Where are links to the source docs?
Where are links to the source docs?
Post new comment