IT security: Too big for government

Information technology security and information assurance are becoming too critical, too big and too complex a problem for the government to handle by itself, according to two security experts. But they disagree on how well government and industry are responding to the need for greater cooperation to improve cybersecurity.Tony Sager, chief of the National Security Agency's Vulnerability Analysis and Operations Group, said in an opening address at the recent Black Hat security conference in Las Vegas that government needs industry's help and that NSA is reaching out to industry.'We've got to figure out how to solve this problem with solutions that scale across the entire community,' Sager said. That means his agency must bring its information to the table and find common ground with the private and academic sectors. ' 'We're from the government and we're here to help' doesn't work with this crowd.'According to Richard Clarke, former U.S. counterterrorism czar, who shared the opening keynote address slot with Sager, the government's culture must change a lot more before the country's critical infrastructure can be secured.'I'd like to know why it was that we lost momentum in solving the problem in more than a piecemeal manner,' Clarke said in an interview with Government Computer News. 'There is no leadership. There is no national plan implemented.'Industry, commerce, health care and national defense increasingly rely on an Internet that remains brittle and open to attack and disruption, Clarke said. 'The day-to-day environment is replete with crime and espionage. We are accepting a high level of cost we needn't accept. But we've done nothing to solve the problem.'Clarke has been a high-profile critic of the nation's cyberdefense efforts since his retirement from government in 2003. Now the chairman of Good Harbor Consulting, he served under four presidents, from Ronald Reagan to George W. Bush.His last government position was chief counterterrorism adviser under Presidents Clinton and Bush, and he helped develop the National Strategy to Secure Cyber Space, released in February 2003.Despite concerns about a lack of leadership, change is occurring, Sager said. Although much of NSA's work remains secret, Sager's organization in the agency is a reflection of the need to work with industry to develop open and standardized security and research practices.When Sager began working at NSA in 1977, 'it was a dramatically different security problem,' he said. IT security was a government monopoly. 'The government owned the problem,' and could control the technology. 'Those days are over.'NSA has struggled with the change in culture. 'But you have no choice but to be concerned about the security of commercial products' the government does not control, Sager said. 'We changed the way we behaved' to gain the trust and cooperation of the security research community.But according to Clarke, government has lost an opportunity to make real progress in IT security since the release of the National Strategy to Secure Cyber Space.'In this case, we had high-level awareness that there was a problem,' Clarke said. President Bush signed off on the strategy and there was an understanding among government and industry leaders who collaborated on the strategy of the need for the two sectors to cooperate. 'They understood it was not mainly a government problem,' he said. There was a necessary role for government, but 'it was a private-sector problem, mainly.'However, little progress has been made and some ground has been lost. The government has failed to provide a role model for security, as it was supposed to under the strategy; federal funding for security research and development is down; and the situation probably will get worse before it gets better, he said. 'We need to ask ourselves, why?'The problem stems from a lack of congressional as well as presidential leadership, coupled with a lack of executive initiative in the private sector, Clarke said.'The government didn't want to regulate,' he said, and did not feel competent to regulate in technical areas. Without government leadership, corporations won't move unless forced by some catastrophe. 'What motivates people at the corporate level is disaster.'Meanwhile, there has been progress from companies that see a relationship between the security of their products and their business success. Corporate giants such as Microsoft, Cisco and Oracle often are cited as examples of companies that have improved their own software development processes. Government has had a hand in encouraging those improvements by creating standards and putting business pressure on the companies.NSA's set of security guidelines for Windows NT in 1999 was just one of 14 sets of such guidelines for that operating system. But the complexity of Windows 2000 made the job too difficult for NSA to handle alone.The agency built a cross-agency, public/private partnership with the Defense Information Systems Agency, the National Institute of Standards and Technology (NIST), the SANS Institute and the Center for Internet Security to develop guidelines.This led to a standard default configuration for the OS required by the Air Force, which eventually was adopted by the Defense Department and civilian agencies.NSA now is partnering with other agencies in developing a number of open programs such as the Common Vulnerabilities and Exposures scheme and the Security Content Automation Program housed at NIST.But Clarke said effective leadership could have accomplished much more by now. Service providers could be filtering malware before it hits the local-area network and end user, he said. There could be better and more encryption, a secure Domain Name System and a parallel network structure to provide priority service during emergencies.However, there are bright spots. Companies are beginning to reduce the scope of vulnerabilities in their software and IPv6 is slowly moving forward, especially in Asia. But Clarke is not optimistic about the government's ability to make use of the new version of IP, which is supposed to be enabled on agencies' backbone networks by next June.'I am very skeptical that the government is going to do the things it says it will do, because it hasn't over the last five years,' he said.What can be done to improve the situation? The next administration might appoint someone to lead the effort, he said. 'Certainly not me, because I'm not going back in.'Until that leadership comes, Clarke is afraid that nothing short of a catastrophe will focus adequate attention on these issues.In the absence of the financial pain caused by a cyberdisaster, 'the only thing that's going to get anybody to do anything is regulation,' Clarke said. 'And that's too bad, but when you have a market failure, you have to have regulation.'