Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/16/2008
11:42 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

GAO States Obvious: U.S. Cybersecurity Is Stinko

The Government Accountability Office finds government's cybersecurity efforts lacking.

The Government Accountability Office finds government's cybersecurity efforts lacking.First, anyone have any idea why the U.S. government refers to information security as "cybersecurity?" I thought the term cyberspace went out of fashion about a decade ago. I guess it's better than referring to IT security as "Information Super-Highway" security.

Regardless of the nomenclature, if you want to be able to use "The Google," it's very important that we keep all of the tubes on the Internet clean.

Back to the GAO's national information security findings. In a nutshell, the GAO found a number of challenges faced by the U.S. Computer Emergency Readiness Team in its charter to help secure the national IT infrastructure. (I'm sorry, but I just can't use the term "cyberspace" or "cybersecurity" -- simply makes the discipline sound silly).

The fascinating point I gleaned from the report is the number of new shortcomings the GAO proffered, compared with those they previously recommended. First, there is only one new challenge, straight from the GAO's report:

The newly identified challenge is creating warnings that are actionable and timely -- US-CERT does not consistently issue warnings and other notifications that its customers find useful.

I've always appreciated US-CERT's warnings as thorough and having no ax to grind, like many security vendors seem to have. My beef with US-CERT's warnings is that, at least the public one's I'm privy to, seem so late.

Here's the long list of shortcomings the GAO has previously informed all branches of our government that still remain unfixed:

• employing predictive cyber analysis -- the organization has not established the ability to determine broader implications from ongoing network activity, predict or protect against future threats, or identify emerging attack methods;

• developing more trusted relationships to encourage information sharing -- federal and nonfederal entities are reluctant to share information because US-CERT and these parties have yet to develop close working and trusted relationships that would allow the free flow of information;

• having sufficient analytical and technical capabilities -- the organization has difficulty hiring and retaining adequately trained staff and acquiring supporting technology tools to handle a steadily increasing workload; and

• operating without organizational stability and leadership within DHS -- the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT's role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level.

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.

Accordingly, we are making 10 recommendations to the Secretary of Homeland Security to improve DHS's cyber analysis and warning capabilities by implementing key cyber analysis and warning attributes and addressing the challenges, including:

• developing close working and more trusted relationships with federal and nonfederal entities that would allow the free flow of information,

• expeditiously hiring sufficiently trained staff and acquiring supporting technology tools to handle the steadily increasing workload,

• ensuring consistent notifications that are actionable and timely,

• filling key management positions to provide organizational stability and leadership, and

• ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities. In written comments

What I find frustrating is that most of this stuff was heavily discussed and debated toward the end of 2002 and throughout 2003. The good news is that the GAO only found one new shortcoming. So while the situation isn't improving, it isn't getting much worse, either. That's one way we can look at it. Right?

To be clear: I'm not casting blame on US-CERT, because I'm not sure if these failings are not being rectified because of lack of DHS leadership, lack of budget from Congress, or lack of organizational will within the US-CERT -- or a blend of all of those reasons.

I do know what needs to get done isn't getting done.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.