President Obama has directed his National Security and Homeland Security Advisors to immediately conduct a review of plans, programs, and current activities underway government-wide aimed at combating cyber crime. Melissa Hathaway, a former official in the Bush administration who coordinated cyber monitoring for the Director of National Intelligence, will oversee the review.
Obama has called for a review of cyber security...will it matter? (IMG:J.Anderson)
The review, set to last 60 days, will develop what will eventually become the framework expected to ensure U.S. cyber security is integrated, resourced, and coordinated with Congress and the private sector. While there have been several attempts in the past to move cyber security to a large scale, ego and politics have always prevented inter-agency cooperation.
According to AP coverage, as well as official comment from John Brennan, the Assistant to the President for Counterterrorism and Homeland Security, the security and economic health of the United States will depend on the security, stability, and integrity of our cyberspace, both on a private and public level.
"The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Brennan.
This sounds great on paper. The review will look at things such as how passport applications, tax returns, and other sensitive documents are stored and utilized. The process will also involve how agencies implement and deal with network security issues. Yet, if the past has shown us anything, the little things expose the government far more than a single national cyber attack.
Take Gary McKinnon, the famous government "hacker" and UFO fan. He didn’t crack government computers at all. He used remote access software with default passwords to gain the access he was changed with. Once McKinnon gained access to the government computer, if he were malicious, then the network was his on many levels. However, McKinnon wasn't malicious, he was just zealous and later found himself caught in the middle of a political war.
Another example occurred recently. The Conficker Worm took down part of the network used by the courts in Houston. The Conficker infection caused cases to be moved, and even halted arrests on a minor scale.
In January, the Government Accountability Office (GAO) slammed the IRS for security policy. One of the items in the GAO report claims the, "IRS continues to transmit data, such as account and financial information, from its financial accounting system using an unencrypted protocol."
The GAO slammed the IRS for using weak passwords, that excessive system user controls are being granted to users (most user accounts run on an elevated level), and that System IDs, passwords, and information are available to anyone on the IRS network. These IDs and access will link any user to critical applications.
The GAO said access of terminated employees was never removed, thus their accounts remained active. Finally, the most damning part of the GAO report is the inconsistent patching of network systems by the IRS.
In the case of the GAO report, the Conficker issue in Houston, and Gary McKinnon there is one clear link you can see when you look at it from a security angle. When access to a network is blocked from the front and blocked from the backdoor, then you need to look at a new way in. Thanks to the basic design of a network, that entrance is already there.
The lack of patching, for example, could allow Worms and other Malware the chance to attack. Weak passwords are another option. The point is, while this sounds sensationalist, the reality of it is that the government can spend what it wants, study until the end of time, and all a 'terrorist' or criminal would need is a single username with decent enough access and a few cracks at a password using common variations.
Another aspect likely to gain little attention from the review is the data that is moving, not across networks, but rather on laptops and portable drives. Again, using the GAO report as an example, the IRS can completely clean up its act. Yet, if one manager or other employee loses a laptop, portable drive, or other data device containing the right information, then it is very much game over.
The fact that President Obama has ordered this review is a positive start. The idea that the government and both the private and public sectors will be required to work hand-in-hand is a pipe-dream come true. There are different sets of rules for networks depending on the type and agency.
For example, public sector networks are often stronger than governments. Yet, most of the time the government network will have stronger controls on information. So making them work together will be great... if it happens.
However, if all the review does is lead to a nationwide DLP or NAC initiative, then it might be better off left alone. What good would stronger national cyber security be if we are left with no productivity, and a shell of what once was the Internet?
The review could very well lead to the same argument that access controls that are too strict lead to less production and cost more, that there is no way to manage everything, or that no matter what is done, there is no 'silver bullet' to protect us all. To compensate those arguments, policy will be created with no one to enforce or regulate it, and we are left with shiny new IT toys, but are no better off now then we were four years ago.
The review is set to last 60 days. There will be little known until that time has passed and, after that time frame, who knows when we will learn the results. In the meantime, patch your systems, kick off a fresh backup, and change your password. At least you’ll feel secure.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story