Obama orders Cyber Security review – empty promise or too little too late?
Steve Ragan
President Obama has directed the National Security and Homeland Security Advisors to immediately conduct a review of plans, programs, and current activities underway government wide aimed at combating cyber crime. Melissa Hathaway, a former official in the previous administration who coordinated cyber monitoring for the Director of National Intelligence, will oversee the review.
Obama has called for a review of cyber security...will it matter? (IMG:J.Anderson)
The review, set to last 60-days, will develop what will eventually become the framework that is expected to ensure U.S. cyber security is integrated, resourced, and coordinated with Congress and the private sector. While there have been several attempts in the past to move cyber security to a large scale, ego and politics have always prevented inter-agency cooperation.
According to AP reports, as well as official comment from John Brennan, who is Assistant to the President for Counterterrorism and Homeland Security, the security and economic health of the United States will depend on the security, stability, and integrity of our cyberspace, both on a private and public level.
“The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Brennan.
This sounds great on paper. The review will look at things like how passport applications, tax returns, and other sensitive documents are stored and utilized. The process will also involve how agencies implement and deal with network security issues. Yet, if the past has shown us anything, the little things expose the government far more than a single national cyber attack.
Take Gary McKinnon, the famous government "hacker" and UFO fan, He didn’t crack government computers at all. He used remote access software with default passwords to gain the access he was changed with. Once McKinnon gained access to the government computer, if he were malicious, then the network was his on many levels. However, McKinnon wasn't malicious, he was just zealous and later caught in the middle of a political war.
Another example occurred recently. The Conficker Worm took down part of the network used by the courts in Houston.The Conficker infection caused cases to be moved, and even halted arrests on a minor scale.
In January, the Government Accountability Office (GAO) slammed the IRS for security policy. One of the items in the GAO report is that the, “IRS continues to transmit data, such as account and financial information, from its financial accounting system using an unencrypted protocol.”
The GAO slammed the IRS for using weak passwords, that excessive system user controls are being granted to users (most user accounts run on an elevated level), and that System IDs, passwords, and information are available to anyone on the IRS network. These IDs and access will link any user to critical applications.
The GAO said that terminated employees were never removed, thus their accounts are all active. Finally, the most damning part of the GAO report, is the inconsistent patching of network systems by the IRS.
In the case of the GAO report, the Conficker issue in Houston, and McKinnon there is one clear link you can see when you look at it from a security angle. When access to a network is blocked from the front and blocked from the backdoors, then you need to look at a new way in. Thanks to the basic design of a network, that entrance is already there.
The lack of patching for example, could allow Worms and other Malware the chance to attack. Weak passwords are another option. The point is, while this sounds sensationalist, the reality of it is that the government can spend what it wants, study until the end of time, and all a “terrorist” or criminal would need is a single username with decent enough access and a few cracks at a password using common variations.
Another aspect likely to gain little attention from the review is the data that is moving, not across networks, but on laptops and portable drives. Again, using the GAO report as an example, the IRS can completely clean up their act. Yet, if one manager or other employee loses a laptop, portable drive, or other data device with the right information, then it is game over.
The fact that Obama has ordered this review is a positive start. The idea that the government and both the private and public sectors will be required to work hand-in-hand is a pipe-dream come true. There are different sets of rules for networks depending on the type and agency. For example, public sector networks are often stronger than governments. Yet, most of the time the government network will have stronger controls on information. So making them work together will be great, if it happens.
However, if all the review does is lead to a nationwide DLP or NAC initiative, then it might be better off left alone. What good would stronger national cyber security be if we are left with no productivity, and a shell of what once was the Internet?
The review could very well lead to the same argument that access controls that are too strict lead to less production and cost more, that there is no way to manage everything, or that no matter what is done, there is no “silver bullet” to protect us all. To compensate those arguments policy will be created, with no one to enforce or regulate it, and we are left with shiny new IT toys, but are no better off now then we were four years ago.
The review is set to last 60-days. There will be little known until then, and after that time frame, who knows when we will learn the results. In the meantime, patch your systems, kick off a fresh backup, and change your password. At least you’ll feel secure.