Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/16/2008
11:42 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

GAO States Obvious: U.S. Cybersecurity Is Stinko

The Government Accountability Office finds government's cybersecurity efforts lacking.

The Government Accountability Office finds government's cybersecurity efforts lacking.First, anyone have any idea why the U.S. government refers to information security as "cybersecurity?" I thought the term cyberspace went out of fashion about a decade ago. I guess it's better than referring to IT security as "Information Super-Highway" security.

Regardless of the nomenclature, if you want to be able to use "The Google," it's very important that we keep all of the tubes on the Internet clean.

Back to the GAO's national information security findings. In a nutshell, the GAO found a number of challenges faced by the U.S. Computer Emergency Readiness Team in its charter to help secure the national IT infrastructure. (I'm sorry, but I just can't use the term "cyberspace" or "cybersecurity" -- simply makes the discipline sound silly).

The fascinating point I gleaned from the report is the number of new shortcomings the GAO proffered, compared with those they previously recommended. First, there is only one new challenge, straight from the GAO's report:

The newly identified challenge is creating warnings that are actionable and timely -- US-CERT does not consistently issue warnings and other notifications that its customers find useful.

I've always appreciated US-CERT's warnings as thorough and having no ax to grind, like many security vendors seem to have. My beef with US-CERT's warnings is that, at least the public one's I'm privy to, seem so late.

Here's the long list of shortcomings the GAO has previously informed all branches of our government that still remain unfixed:

• employing predictive cyber analysis -- the organization has not established the ability to determine broader implications from ongoing network activity, predict or protect against future threats, or identify emerging attack methods;

• developing more trusted relationships to encourage information sharing -- federal and nonfederal entities are reluctant to share information because US-CERT and these parties have yet to develop close working and trusted relationships that would allow the free flow of information;

• having sufficient analytical and technical capabilities -- the organization has difficulty hiring and retaining adequately trained staff and acquiring supporting technology tools to handle a steadily increasing workload; and

• operating without organizational stability and leadership within DHS -- the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT's role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level.

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.

Accordingly, we are making 10 recommendations to the Secretary of Homeland Security to improve DHS's cyber analysis and warning capabilities by implementing key cyber analysis and warning attributes and addressing the challenges, including:

• developing close working and more trusted relationships with federal and nonfederal entities that would allow the free flow of information,

• expeditiously hiring sufficiently trained staff and acquiring supporting technology tools to handle the steadily increasing workload,

• ensuring consistent notifications that are actionable and timely,

• filling key management positions to provide organizational stability and leadership, and

• ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities. In written comments

What I find frustrating is that most of this stuff was heavily discussed and debated toward the end of 2002 and throughout 2003. The good news is that the GAO only found one new shortcoming. So while the situation isn't improving, it isn't getting much worse, either. That's one way we can look at it. Right?

To be clear: I'm not casting blame on US-CERT, because I'm not sure if these failings are not being rectified because of lack of DHS leadership, lack of budget from Congress, or lack of organizational will within the US-CERT -- or a blend of all of those reasons.

I do know what needs to get done isn't getting done.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.