CSIA Calls for Presidential Directive to Beef Up Cyber Security

The first tier would emphasize U.S. economic and national security and involve emergency exercises that would help the federal govt. prepare contingency plans, Kurtz said. This tier would require a President directive that would combine multiple agencies that currently replicate each others’ work, he added. “We must do our best to make this resilient to weather an attack,” Kurtz said at the Govt. Security Expo, in a panel on IT security threats: “We are not ready for a major disruption of infrastructure today and have a long way to go before we get more.” The federal govt. has conducted 2 emergency exercises and is encouraging them at the state level.

The 2nd tier involves creating stronger public and private sector partnerships to emphasize coordination, education and preparedness, Kurtz said. The govt. also needs more authentication technologies, secure fundamental protocols, modeling test beds for new technologies, and stricter cyber forensics, said Thomas Leighton, chmn. of the President’s IT Advisory Committee.

The DoD budget doesn’t give civilian cybersecurity enough money, Leighton said. His committee requested $90 million for the effort. “The state of cybersecurity is bad and it’s getting worse,” he said: “We are being exploited on a daily basis.” Leighton’s committee also has determined that much of the research conducted on cybersecurity shouldn’t be classified, nor should it be forced out of a university setting. The govt. should give small business grants and fund unclassified university work, Leighton added.

Leighton also stressed the growing prominence of pharming, the exploitation of a DNS server vulnerability that lets a hacker control a site’s domain name. The culprit redirects that website’s traffic to another site. At least 13,000 Internet domains were compromised in 2005 by pharming attacks, Leighton said. “We want the government to take leadership today in controlling this,” he said: Pharming is “exploding and we don’t notice. It is a large problem and really hard to track.”

Kurtz reiterated that the govt. needs to do a better job of tracking information infrastructure trends and costs. A new DoJ-Dept. of Homeland Security survey that will gauge the costs of cyber incidents may be a step in the right direction, Kurtz said.

The survey will estimate the number of cyber attacks, frauds and information thefts and resulting losses in 2005, according to the DoJ Web site. Distribution of the survey to 3,000-5,000 businesses began Mon. and will be completed this year. In the pilot version, almost 3/4 of businesses said they had been victimized by cybercrime in 2001. Computer virus infections were the most common form of attack (64%), followed by denial of service incidents (25%) and vandalism or sabotage (19%), DoJ said. The survey will assist in coordinating efforts among agencies, but the govt. didn’t publicize survey much, Kurtz said: “You can’t manage what you can’t measure. How are we supposed to manage federal resources?”

Meanwhile, CSIA is reaching out internationally and has chosen an agency to lobby European govt. leaders in Brussels. CSIA is entering Europe because it has no industry group specializing in information security public policy, Kurtz said. The operation in Brussels will be autonomous and won’t push a U.S. agenda. The Brussels office will focus on the 2010 Lisbon Agenda initiative, to help the EU determine cybersecurity law the next 4 years. “We will look at laws and regulations that have been passed and make sure we are not building redundant or conflicting regulations, Kurtz said.