U.S. government focuses on securing backdoors in tech products

As part of a comprehensive cybersecurity push, the U.S. government will focus on improving its network defense capabilities and on revamping acquisition rules to protect against malicious code installed during the manufacturing process of electronic devices.

The National Cybersecurity Initiative, announced by President George Bush in January, will replace the government's outdated network perimeter defense system, officials from the U.S. Department of Homeland Security (DHS) and other agencies said at a Monday cybersecurity conference hosted by the Information Technology Association of America.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Officials from DHS, the White House and the Office of the Director of National Intelligence (DNI) used the conference to unveil new details about the cybersecurity initiative, which involves multiple government agencies. Cyberattacks have grown more sophisticated and more targeted in the past year, said Melissa Hathaway, senior advisor for cybersecurity at DNI.

"We are faced with a dangerous combination of known and unknown vulnerabilties, strong adversary capabilities and very weak situational awareness at this time," Hathaway added. "We see this as a growing economic and national security crisis that cannot wait any longer to be addressed."

Government officials are increasingly concerned about hidden vulnerabilties and Trojan horses in commercial technology products, said Paul Schneider, deputy secretary at DHS. The U.S. government needs to better protect its supply chain, particularly when a growing number of tech products are produced overseas, he said.

"Make no mistake about it, this is a real concern," Schneider said.

The U.S. government will work with private vendors to address those supply-chain concerns, he said. DHS is looking at implementing stricter acquisition rules for tech products, Jamison added.

There have been recent examples of credit-card point-of-sale machines stealing credit card numbers and passwords, Hathaway noted. "We need to be more and more concerned about backdoors in the supply chain," she said.

Another major concern is the U.S. government's perimeter defense, officials said. The current perimeter defense scanner, nicknamed Einstein, was launched in 2004 and is a largely passive monitoring system, Schneider said.

"Simply put, [Einstein] is a flow management system that lets us know after we've been attacked," added Neill Sciarrone, special assistant on cybersecurity in the White House.

In addition, Einstein protected a small percentage of the access points to the federal government's networks, added Robert Jamison, undersecretary for national protection and programs at DHS. His agency is currently testing a new version of Einstein that would protect all of the government's networks, he said.

The U.S. government at one point had about 4,500 Internet gateways, and it's working toward reducing the number to less than 100, Jamison said.

The new version of Einstein will include offensive capabilities to anticipate where attacks will come from and shut down attackers, Sciarrone said. "Detection is not enough," she said. "We need to move forward to prevention."

The long-term cybersecurity initiative will focus on several other issues, including better sharing of information about cyberattacks and sharing government defense capabilities with private companies, officials said. The government also will work on recruiting more cybersecurity experts to work for U.S. agencies and educating Internet users about vulnerabilties, they said.