Return-Path: <sentto-279987-3389-1003973101-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 24 Oct 2001 18:26:08 -0700 (PDT) Received: (qmail 2575 invoked by uid 510); 25 Oct 2001 01:24:28 -0000 Received: from n35.groups.yahoo.com (216.115.96.85) by 204.181.12.215 with SMTP; 25 Oct 2001 01:24:28 -0000 X-eGroups-Return: sentto-279987-3389-1003973101-fc=all.net@returns.onelist.com Received: from [10.1.1.223] by n35.groups.yahoo.com with NNFMP; 25 Oct 2001 01:25:01 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 25 Oct 2001 01:25:01 -0000 Received: (qmail 74726 invoked from network); 25 Oct 2001 01:25:00 -0000 Received: from unknown (10.1.10.142) by 10.1.1.223 with QMQP; 25 Oct 2001 01:25:00 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3 with SMTP; 25 Oct 2001 01:25:00 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9P1P0o10695 for iwar@onelist.com; Wed, 24 Oct 2001 18:25:00 -0700 Message-Id: <200110250125.f9P1P0o10695@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 24 Oct 2001 18:25:00 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Homeland.Cyber.Security..We.Need.a.Czar,.Not.a.Coordinator] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Homeland Cyber Security We Need a Czar, Not a Coordinator <a href="http://www.securityfocus.com/columnists/32">http://www.securityfocus.com/columnists/32> President Bush has appointed a National Advisor on cyber-security; but without the means to enact real change, the appointment will be another in a long line of failed initiatives. By Richard Forno Oct 23 2001 11:00PM PT Coordinator noun- An equal, one who fosters consensus and agreement toward a shared goal. Czar noun A person with great authority. In the aftermath of the September 11th tragedy, President Bush announced the creation of the Office of Homeland Security (OHS), a Cabinet-level entity charged with counter-terrorism, cyber-security, and critical infrastructure protection in the domestic United States. One of the three key leaders in this new organization is Richard Clarke, who had previously been appointed by President Clinton to coordinate computer security efforts for the United States. Clarke is one of the few senior government executives who has a grasp of this issueıs complexity, although his mantra of an ³Electronic Pearl Harbor² is considered somewhat sensationalist by many security professionals. Sadly, for all the fanfare associated with the creation of the OHS, and despite the definite need for a centralized government body to address this issue, many security professionals (including this one) view the OHS as a typical government response to a major tragedy namely, the creation of more bureaucracy to address whatever caused the tragedy in the first place. The OHS is not a new concept, but a rehash of several previous federal initiatives that have proven ineffective. These previous attempts to grasp the critical infrastructure security issue have failed, and one wonders if the OHS will be any more successful. Most of the past attempts created councils, commissions, and coordinators to research, publicize, and influence change. However, none had the statutory and political authority to accomplish its mission. Without such authority, such entities will never be effective. What we need is not another coordinator attempting to bring together diverse groups to discuss watered-down policies. What we need is a security Czar: a single, knowledgeable leader who understands the issues of cyber-securityı and who has the real power to enact and enforce security laws in a climate of immediate and effective action. A brief historical survey of the Federal Governmentıs attempts to grapple with information security issues shows that the approach of coordination by committee has been entirely ineffective. The first major national effort to address security in the Information Age was The President's Commission on Critical Infrastructure Protection (PCCIP) of July 1996. This interagency commission, established by Presidential Executive Order 13010, was formed to develop a comprehensive national strategy for protecting national critical infrastructures from physical and cyberı threats. The same Executive Order also established the Infrastructure Protection Task Force (IPTF) at the FBI, an interagency entity charged with coordinating computer investigations and infrastructure threat assessment matters. While the PCCIP served its mandated purpose and was dissolved shortly thereafter, the IPTF evolved into the FBI-based National Infrastructure Protection Center (NIPC) in early 1998 under Presidential Decision Directive 63. This new entity was intended to assess, investigate, and respond to threats and or attacks against components of the national infrastructure, such as national telecommunications, energy, banking and finance, water systems, government operations, and emergency services. However, the NIPC soon evolved to focus exclusively on computer viruses, hackers, and computer crime events and seemed to ignore other equally important areas of critical infrastructure protection. The NIPC, for all intents and purposes, became the US Governmentıs answer to the Carnegie Mellon Computer Emergency Response Team (CERT) - the only difference being that NIPCıs agents have law enforcement and arrest powers. In early 2001, auditors at the Government Accounting Office (GAO) found that NIPC had significant shortcomings and was not truly effective in meeting its chartered responsibilities in the critical infrastructure protection area. In May 1998, under the same Presidential Directive that established NIPC, a ³National Coordinator² position was created whose responsibilities included not only critical infrastructure protection but also protection against acts of terrorism on U.S. soil. President Clinton appointed Richard Clarke as the first National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism. This was followed shortly by the establishment of the Critical Infrastructure Assurance Office (CIAO) yet another interagency organization to coordinate protection of national critical infrastructures across the federal government but having no direct authority to implement its chartered responsibilities. In early 2001, the White House, still grasping for solutions, proposed an ³Infrastructure Assurance Councilı that would include 23 senior officials from across the federal government. Again, this was a group intended to coordinate the development of infrastructure (particularly computer) security policy and procedures for the government. Many security professionals shook their heads at this news those of us in the real worldı of security operations know that security by committee never works, particularly in a crisis that requires an immediate response. Furthermore, senior officials and Cabinet-level persons are no better than CEOs when it comes to fully understanding the reality of information assurance topics and devising effective responses. Instead of calling on CEOs and Cabinet-level officials (the least knowledgeable folks on this subject) to discuss the matter, the government should involve technologists and other operational experts that have a first-hand understanding of the issues, instead of those that simply know of security as a routine corporate function at a very high level. From this brief history, you can see the repeated attempts of the US government to deal with information security matters. Yet, despite these various undertakings, there has been little real, effective work done in this area. Reading the assorted reports, audits, and Congressional testimony on the governmentıs approach to information security since 1995 is akin to listening to a compact disk with a scratch on it. Six years later, weıre still hearing and seeing the exact same assessments and analysis. Yet there are plenty of reports, presentations, briefings, and calls for more resources and research and more ways of ³addressing the problem² while not really addressing the problem. This brings us to September 2001, with the Presidential Proclamation creating the Office of Homeland Security, Richard Clarke, the Clinton-appointed cybersecurity coordinatorı has been renamed as the President's Special Advisor for Cyberspace Security, one of two deputies in this new office. His mission again is to coordinate interagency efforts to secure information systems and, in the event of a disruption, coordinate efforts to restore critical systems. Backing him in his efforts to coordinate policy development and related initiatives is the Homeland Security Council, which is essentially a reincarnation of the aforementioned Infrastructure Assurance Council, and its requisite supporting committees and bureaucracies. Clarke has major national security responsibilities but no statutory authority to enact the change required by those duties. He has little influence over agency cybersecurity budgets, and he has essentially been dropped into a turf battle between the security offices of various government agencies, all of whom have existing budgets and statutory responsibilities for cybersecurity initiatives within their respective organizations. Little has changed organizationally and politically since his last assignment under the Clinton Administration as such, Clarke is facing a difficult, uphill battle. If (more likely when) he meets resistance by some government department, his sole recourse is to ask the President to intervene and in essence, fight Clarkeıs almost-inevitable battles for him. I am a realist and, while I hope that Clarke becomes empowered with sufficient authority to make a difference and fulfill his responsibilities, I donıt have much hope that his role as a coordinator in this new organization will be effective. We donıt need more bureaucracy, research projects, or audits, we already know what the problems, threats, and risks are. We donıt need coordinators or consensus-driven councils of cybersecurity. In order for government critical infrastructure protection initiatives to be truly effective, we need the person charged with those responsibilities to be empowered under law with the requisite authority to force other agencies to get in step with his officeıs policies and direction. Itıs high time to shed the traditional government mentality that attempts to solve problems with additional staffing, studies, reports, and bureaucracies. Richard Clarke is the right man for the job; however, unless he is designated as a ³director² or ³czar² instead of a ³coordinator², his role in the Homeland Security Council will result in yet another failed attempt by the federal government to address information assurance matters. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:57 PST