Cybersecurity experts question US gov't effort
Government has to get its own cybersecurity in order, needs to encourage others outside of government
Follow @infoworldWASHINGTON - The U.S. government isn't doing enough to encourage cybersecurity efforts outside of government and it still needs to get its own cybersecurity house in order, two security experts testified before a U.S. House committee Thursday.
The government's main cybersecurity law might do nothing more than bury bureaucrats in paperwork, one witness at a House Government Reform Committee hearing testified. Another witness called on the government to push for more secure Internet standards and for government agencies to separate their Web sites from networks containing security-sensitive information.
The U.S. government's own Federal Information Security Management Act (FISMA), passed in 2002 in an attempt to require U.S. agencies to track their cybersecurity efforts, "runs the risk of becoming a paperwork exercise," said Kenneth Ammon, president of NetSec Corp., a managed security service vendor. FISMA's emphasis on certification and accreditation (C and A) of computer systems can help ensure security measures are built into new software, but it's difficult to apply certifications to existing or older legacy systems, Ammon told the House Government Reform Committee.
"Due to the fact that FISMA compliance and progress have been equated with how many systems have gone through C and A, agencies are slavishly spending scarce resources to produce C and A reports that merely state the obvious: the legacy system is not secured and can't be effectively secured -- in page after gory page of detail," Ammon said.
The U.S. government also should push for Internet tools like BGP (Border Gateway Protocol) and the DNS (Domain Name System) to include authentication security, added F. Thomson Leighton, chief scientist at Akamai Technologies Inc., a distributed computing platform vendor. Both BGP and DNS lack authentication, making it relatively easy for hackers to redirect Internet traffic, he said.
The U.S. government's role should be to push for new security measures on the Internet, Leighton added. "I don't think we need to replace the Internet to make it more secure," he said. "It's improving the protocols. The federal government can certainly play an important role in highlighting the problem."
Committee chairman Tom Davis, a Virginia Republican, asked if those protocols would be improved quickly if the federal government doesn't push for it. Leighton answered no.
Leighton also called on U.S. government agencies to separate their public-facing Web sites from other government networks. "As long as the public is invited into government networks in order to access Web sites, it is difficult, if not impossible to prevent unwanted access by hackers," he said. "Today you have a situation where there are many government networks where they have thousands of public-facing Web sites sitting side by side with sensitive government services. That's a recipe for problems."
Asked by Representative John Tierney, a Massachusetts Democrat, if separating public Web sites from sensitive government networks would reduce public access to government information, Leighton said the opposite would happen. With government Web sites running on their own networks, those sites would be faster to access and cheaper to maintain, Leighton said.
