Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/16/2008
11:42 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

GAO States Obvious: U.S. Cybersecurity Is Stinko

The Government Accountability Office finds government's cybersecurity efforts lacking.

The Government Accountability Office finds government's cybersecurity efforts lacking.First, anyone have any idea why the U.S. government refers to information security as "cybersecurity?" I thought the term cyberspace went out of fashion about a decade ago. I guess it's better than referring to IT security as "Information Super-Highway" security.

Regardless of the nomenclature, if you want to be able to use "The Google," it's very important that we keep all of the tubes on the Internet clean.

Back to the GAO's national information security findings. In a nutshell, the GAO found a number of challenges faced by the U.S. Computer Emergency Readiness Team in its charter to help secure the national IT infrastructure. (I'm sorry, but I just can't use the term "cyberspace" or "cybersecurity" -- simply makes the discipline sound silly).

The fascinating point I gleaned from the report is the number of new shortcomings the GAO proffered, compared with those they previously recommended. First, there is only one new challenge, straight from the GAO's report:

The newly identified challenge is creating warnings that are actionable and timely -- US-CERT does not consistently issue warnings and other notifications that its customers find useful.

I've always appreciated US-CERT's warnings as thorough and having no ax to grind, like many security vendors seem to have. My beef with US-CERT's warnings is that, at least the public one's I'm privy to, seem so late.

Here's the long list of shortcomings the GAO has previously informed all branches of our government that still remain unfixed:

• employing predictive cyber analysis -- the organization has not established the ability to determine broader implications from ongoing network activity, predict or protect against future threats, or identify emerging attack methods;

• developing more trusted relationships to encourage information sharing -- federal and nonfederal entities are reluctant to share information because US-CERT and these parties have yet to develop close working and trusted relationships that would allow the free flow of information;

• having sufficient analytical and technical capabilities -- the organization has difficulty hiring and retaining adequately trained staff and acquiring supporting technology tools to handle a steadily increasing workload; and

• operating without organizational stability and leadership within DHS -- the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT's role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level.

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.

Accordingly, we are making 10 recommendations to the Secretary of Homeland Security to improve DHS's cyber analysis and warning capabilities by implementing key cyber analysis and warning attributes and addressing the challenges, including:

• developing close working and more trusted relationships with federal and nonfederal entities that would allow the free flow of information,

• expeditiously hiring sufficiently trained staff and acquiring supporting technology tools to handle the steadily increasing workload,

• ensuring consistent notifications that are actionable and timely,

• filling key management positions to provide organizational stability and leadership, and

• ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities. In written comments

What I find frustrating is that most of this stuff was heavily discussed and debated toward the end of 2002 and throughout 2003. The good news is that the GAO only found one new shortcoming. So while the situation isn't improving, it isn't getting much worse, either. That's one way we can look at it. Right?

To be clear: I'm not casting blame on US-CERT, because I'm not sure if these failings are not being rectified because of lack of DHS leadership, lack of budget from Congress, or lack of organizational will within the US-CERT -- or a blend of all of those reasons.

I do know what needs to get done isn't getting done.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.