Computer systems have become increasingly powerful and interconnected via the Internet, with most public and private enterprises relying on them for essential business functions. In addition, the number and sophistication of attacks by criminals and vandals is growing, and many experts believe that our cyber infrastructure is a primary target for terrorists and other adversaries.
Just this month, Rep. Christopher Smith (R – NJ 4th Dist.) said his human-rights subcommittee’s computers were attacked in December 2006 and again in March 2007. “At that time, IT professionals cleaned the computers and informed my staff that the attack seemed to come from the People’s Republic of China,” said Smith during debate on a House resolution urging increased protection of Congressional computer systems.
Also this month, the Washington Post reported that the Hatch Nuclear Power Plant in Georgia was forced into an emergency shutdown for two days subsequent to the installation of a software update. This brings home the point that some computer systems at key facilities are connected to control systems that apparently were not designed with security as a key feature.
This brings us to the Presidential race. While Senators John McCain and Barack Obama have stated their stances on the Iraq War, education, healthcare, the economy and taxes, neither has discussed one word about protecting our cyber infrastructure.
And despite all of the emphasis placed on IT security in recent years, a recent General Accounting Office report has found federal agencies are not testing their security controls with any consistency or timeliness, and as a result may not realize their systems’ weaknesses. The U.S. government earned a “C” for protecting against cyber attack, which is a slight improvement over the “C-minus” received in 2007; when nine agencies earned failing grades, including the departments of Defense, Labor, Treasury and Veterans Affairs.
Shouldn’t the fact that computer cyber-criminals have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information, and possibly gained access to electric power plants be a wake up call to our elected leaders?
Apparently not, as the Democratic and Republican conventions draw near, the candidates need to take a hard look at what he will offer in terms of addressing cyber security. Here, in my opinion, are three critical areas each should consider when formulating their views:
First, it is imperative for the Federal Government and U.S. industry to work together to facilitate the establishment of standards and best practices securing our nations cyber-infrastructure. It should be the policy of the United States to prevent or minimize attacks on our critical information infrastructure in order to protect the public, the economy, government services, and the national security of the United States. Information exchange and cooperation can allow both sides to address awareness, training, technological improvements, vulnerability remediation and recovery operations. While the Department of Homeland Security has taken initial steps to work with the public sector to reduce cyber risk, disseminate threat information, and share best practices and apply appropriate protective actions, more can and must be done.
Next, establish a national incident warning and response capability and procedures for sharing information both nationally and internationally. The National Cyberspace Response System, establish in 2004, is responsible for coordinating the processes and protocols that will determine when and what actions need to be taken as cyber incidents arise. But little to no effort has been taken to proactively assess risk, prioritize resources, and execute protective measures critical to securing our cyber infrastructure.
Finally, the government should encourage and financially support developing curricula and instruction for more effective teaching and training in
cyber security at all educational levels.
The simple and sad fact is that we are falling behind in technology innovation, investment and research. The Cyber Security R&D Center established by the Department of Homeland Security in 2004 to coordinate cross-agency and multidisciplinary collaboration, between R&D labs, industry, academia and the government is another good initial step. But the cold hard truth is the U.S. is not producing.
These areas are not the end-all be-all solution, but will mark a significant step in the right direction and can help influence voters opinions come November. If neither candidate makes a commitment as to how he will address cyber terrorism between now and then, it could potentially be viewed as a lost opportunity for the candidate who loses, and worse, create a major question mark for the election’s winner.
Michael Markulec is COO for Lumeta (www.lumeta.com), the creator of IPSonar, a tool which creates a visual map the existing internet. This technology is currently used by several of the largest U.S. federal government agencies such as the Federal Aviation Administration
(FAA), various U.S. intelligence agencies and the Department of Energy, as well as leading commercial organizations, to map their existing IT networks and establish the true perimeter so that IT and network security personnel can see any vulnerabilities which may be present, then adjust security measures to compensate.
http://advice.cio.com/markulec/which_presidential_candidate_has_the_better_cyber_security_position?page=0%2C1
