U.S. critical infrastructure needs improved security

The year 2005 saw a number of reports summarizing and often criticizing the state of cybersecurity in the critical infrastructure of the United States.

The Department of Homeland Security (DHS) published its first annual privacy report in February covering April 2003 through June 2004. The U.S. government has lagged behind other nations in establishing formal government positions focused on privacy, so it was encouraging to find upon opening the PDF file for the report that the DHS actually has a chief privacy officer, Nuala O’Connor Kelly.

As I reported in a column in 2005 the President’s IT Advisory Committee (PITAC) issued a report in March. From RISKS is this description:

“In Cyber Security: A Crisis of Prioritization, PITAC presents four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation’s IT infrastructure. PITAC urges the Government to significantly increase support for fundamental research in civilian cyber security in 10 priority areas; intensify Federal efforts to promote the recruitment and retention of cyber security researchers and students at research universities; increase support for the rapid transfer of Federally developed cyber security technologies to the private sector; and strengthen the coordination of Federal cyber security R&D activities. To request a copy of this report, please complete the form, send an e-mail to mailto:nco@nitrd.gov , or call the National Coordination Office for Information Technology Research and Development at (703) 292-4873. Cyber Security: A Crisis of Prioritization can also be downloaded as a PDF file by accessing the link here.”

The director of the National Science Foundation (NSF), Arden Bement, reported in May on the NSF’s Cyberinfrastructure Interim Working Group report. From Edupage comes a summary:

“[T]he NSF is developing a plan to support development of the nation’s cyberinfrastructure, including that of colleges and universities. Bement said that funding for cyberinfrastructure is ‘one of the most important investments of the 21st century,’ [and]… that higher education in particular is in need of improvements. What he described as six-lane superhighways for data ‘are reduced to two-lane roads at most college and university campuses.’ Such information overload… impedes research from being conducted efficiently. Still, Bement noted that money for the NSF ‘is not plentiful’ and that it will likely be even scarcer in the future.”

The Government Accountability Office strongly criticized the DHS in a report published in May. The DHS failed to address any of “13 areas of cybersecurity, including bot networks, criminal gangs, foreign intelligence services, spammers, and spyware.” In addition, the report cited extensive turnover in the upper echelons of DHS management.

A month later, an internal audit at DHS was released that pointed out that 19 DHS sites “had no functioning backups or relied on obviously deficient or incomplete backups.” In a prescient comment, it added, “Even the Federal Emergency Management Agency… was unprepared.”

A September report by the DHS Inspector General described the department’s IT systems as largely “uncertified and unaccredited” and its remediation plans as “undeveloped.” This report confirmed that DHS lacked adequately developed and tested contingency plans.

In October, a federal judge ordered the entire Department of the Interior off the Internet “until it can prove [that] the data on its network is safe.” U.S. District Judge Royce Lamberth described the department’s computer security as “disorganized and broken.”

In December, the Cyber Security Industry Alliance (CSIA) issued a blistering report giving the federal government an overall grade of D+ (58%) on its cybersecurity efforts. One of the criticisms was that the new position of Assistant Secretary for Cybersecurity at the DHS remained unfilled six months after its announcement.

Plenty of room for New Year’s resolutions, I guess.