IT security: Too big for government

 

Connecting state and local government leaders

Computer hackers have ridden the Web well beyond the reach of government to control the problem. Security leaders say industry must take the point.

Information technology security and information assurance are becoming too critical, too big and too complex a problem for the government to handle by itself, according to two security experts. But they disagree on how well government and industry are responding to the need for greater cooperation to improve cybersecurity.Tony Sager, chief of the National Security Agency's Vulnerability Analysis and Operations Group, said in an opening address at the recent Black Hat security conference in Las Vegas that government needs industry's help and that NSA is reaching out to industry.'We've got to figure out how to solve this problem with solutions that scale across the entire community,' Sager said. That means his agency must bring its information to the table and find common ground with the private and academic sectors. ' 'We're from the government and we're here to help' doesn't work with this crowd.'According to Richard Clarke, former U.S. counterterrorism czar, who shared the opening keynote address slot with Sager, the government's culture must change a lot more before the country's critical infrastructure can be secured.'I'd like to know why it was that we lost momentum in solving the problem in more than a piecemeal manner,' Clarke said in an interview with Government Computer News. 'There is no leadership. There is no national plan implemented.'Industry, commerce, health care and national defense increasingly rely on an Internet that remains brittle and open to attack and disruption, Clarke said. 'The day-to-day environment is replete with crime and espionage. We are accepting a high level of cost we needn't accept. But we've done nothing to solve the problem.'Clarke has been a high-profile critic of the nation's cyberdefense efforts since his retirement from government in 2003. Now the chairman of Good Harbor Consulting, he served under four presidents, from Ronald Reagan to George W. Bush.His last government position was chief counterterrorism adviser under Presidents Clinton and Bush, and he helped develop the National Strategy to Secure Cyber Space, released in February 2003.Despite concerns about a lack of leadership, change is occurring, Sager said. Although much of NSA's work remains secret, Sager's organization in the agency is a reflection of the need to work with industry to develop open and standardized security and research practices.When Sager began working at NSA in 1977, 'it was a dramatically different security problem,' he said. IT security was a government monopoly. 'The government owned the problem,' and could control the technology. 'Those days are over.'NSA has struggled with the change in culture. 'But you have no choice but to be concerned about the security of commercial products' the government does not control, Sager said. 'We changed the way we behaved' to gain the trust and cooperation of the security research community.But according to Clarke, government has lost an opportunity to make real progress in IT security since the release of the National Strategy to Secure Cyber Space.'In this case, we had high-level awareness that there was a problem,' Clarke said. President Bush signed off on the strategy and there was an understanding among government and industry leaders who collaborated on the strategy of the need for the two sectors to cooperate. 'They understood it was not mainly a government problem,' he said. There was a necessary role for government, but 'it was a private-sector problem, mainly.'However, little progress has been made and some ground has been lost. The government has failed to provide a role model for security, as it was supposed to under the strategy; federal funding for security research and development is down; and the situation probably will get worse before it gets better, he said. 'We need to ask ourselves, why?'The problem stems from a lack of congressional as well as presidential leadership, coupled with a lack of executive initiative in the private sector, Clarke said.'The government didn't want to regulate,' he said, and did not feel competent to regulate in technical areas. Without government leadership, corporations won't move unless forced by some catastrophe. 'What motivates people at the corporate level is disaster.'Meanwhile, there has been progress from companies that see a relationship between the security of their products and their business success. Corporate giants such as Microsoft, Cisco and Oracle often are cited as examples of companies that have improved their own software development processes. Government has had a hand in encouraging those improvements by creating standards and putting business pressure on the companies.NSA's set of security guidelines for Windows NT in 1999 was just one of 14 sets of such guidelines for that operating system. But the complexity of Windows 2000 made the job too difficult for NSA to handle alone.The agency built a cross-agency, public/private partnership with the Defense Information Systems Agency, the National Institute of Standards and Technology (NIST), the SANS Institute and the Center for Internet Security to develop guidelines.This led to a standard default configuration for the OS required by the Air Force, which eventually was adopted by the Defense Department and civilian agencies.NSA now is partnering with other agencies in developing a number of open programs such as the Common Vulnerabilities and Exposures scheme and the Security Content Automation Program housed at NIST.But Clarke said effective leadership could have accomplished much more by now. Service providers could be filtering malware before it hits the local-area network and end user, he said. There could be better and more encryption, a secure Domain Name System and a parallel network structure to provide priority service during emergencies.However, there are bright spots. Companies are beginning to reduce the scope of vulnerabilities in their software and IPv6 is slowly moving forward, especially in Asia. But Clarke is not optimistic about the government's ability to make use of the new version of IP, which is supposed to be enabled on agencies' backbone networks by next June.'I am very skeptical that the government is going to do the things it says it will do, because it hasn't over the last five years,' he said.What can be done to improve the situation? The next administration might appoint someone to lead the effort, he said. 'Certainly not me, because I'm not going back in.'Until that leadership comes, Clarke is afraid that nothing short of a catastrophe will focus adequate attention on these issues.In the absence of the financial pain caused by a cyberdisaster, 'the only thing that's going to get anybody to do anything is regulation,' Clarke said. 'And that's too bad, but when you have a market failure, you have to have regulation.'

RISKY BUSINESS: Former counterterrorism czar Richard Clarke says, 'We are accepting a high level of cost we needn't accept.'

Photo by Jae C. Hong/AP

In the past, 'the government owned the problem. Those days are over.' 'Tony Sager, NSA



























No leader

























X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.