Agency funding contingent upon systems’ protection.
While military combatants continue to fight the war against terrorism on the battlefield, U.S. government officials are stepping up work to protect the borders of cyberspace. Information infrastructure security is such a high priority that government agencies are now required to provide reports on risk assessments, system security needs and security plans before they receive program funding.
Information assurance has been an important issue since the beginning of communications over long distances. The introduction of computers into everyday life and the increased use of technical systems to share data significantly broaden its role. Today, everyone from the Internet shopper to the agencies gathering vital intelligence can be affected—or infected—by a breach in security. Because other types of critical infrastructures, including power grids and financial institutions, now rely on computer systems, the need to protect them has grown exponentially.
The U.S. Defense Department as well as other government agencies is employing defense in depth to ensure that its systems are not compromised, and the issue has received support from the highest level of the U.S. government. Late last year, President Bush ordered the establishment of the Critical Infrastructure Protection Board (CIPB) within the executive branch to coordinate government agency efforts to protect information, obtain industry input about technology and best practices, and uncover citizens’ concerns about computer security. A national strategy to protect information systems will be one product of this work.
The board works with representatives from both government and industry to gather ideas about protection and defense. When requested to do so, it will assist in the development of voluntary standards and will consult with the legal, auditing, financial and insurance communities to identify areas of mutual concern. In addition, the board will coordinate activities of senior liaison officers who are appointed by the attorney general, the secretaries of various government departments and the Federal Emergency Management Agency to explore critical infrastructure protection issues within the private sector.
Howard Schmidt, vice chair, CIPB, Washington, D.C., reveals that facilitating information sharing among government agencies, industry and academia is one way the board will help accomplish these tasks. Many of these organizations are working on similar solutions. By bringing their people together, they are able to compare the work they are doing and, in some cases, coordinate their efforts or solve each other’s problems, he says.
Multiple information sharing and analysis centers, or ISACs, established by private-sector entities such as the power companies and financial institutions are some of the main constituencies of the board, Schmidt shares. In addition, joint committees with representatives from various government agencies discuss information security issues. Finally, the board also is calling on academia to contribute expertise. More than 30 universities currently are centers of excellence on the topic.
The CIPB’s members are responsible for shepherding the pieces together. “For example, different agencies in the government conduct different work with different laboratories. Historically, they work in tandem but may be working on the same types of projects. We identify the ones we know and bring them around the table, and they talk together. In one case, we brought a group of ISPs [Internet service providers] together to report on how ISP collaboration can bring about an environment that is more secure, more robust and recovers faster if attacked. Once they talk, we turn it over to them. We use our kind of ‘bully pulpit’ to bring them together, and then they go back on their own, and they’re giving us input on what ISPs can do,” Schmidt explains.
Software and hardware vendors are another group that can have a huge impact on infrastructure protection. Schmidt says the board has seen considerable work accomplished from these sectors, but it is their responsibility to let the government know what is required to continue making progress.
The Freedom of Information Act (FOIA) is one hurdle that must be overcome when private industry interacts with the government, Schmidt points out. Information that is shared with government agencies may be requested under FOIA guidelines. Because proprietary information may be included in discussions, firms must be concerned about adequately protecting their data. Exceptions can be made to the FOIA; however, they must be narrowly crafted and designed so that they cannot be used to cover up illegal activities, he offers.
Two of the most promising security technologies available today are biometric and two-factor authentication; however, government agencies and even some in the private sector have been slow to adopt the capabilities. Schmidt attributes this reluctance to perceptions about the costs of incorporating these technologies into present systems. In addition, certain policy issues must be resolved. For example, two-factor authentication may require use of a smart card and a fingerprint. Organizations must determine what procedure to follow when someone loses a smart card.
“These approaches have only been successful in a few places. We are working with the Defense Department’s PKI [public key infrastructure] board to move PKI quickly within the government. We will continue to push it. As we move into the next fiscal year, we will be using two-factor identification and will use the Defense Department as a model,” Schmidt allows.
Schmidt also identifies software patch management as one of the other obstacles to information security. “Since the early days of computing, I have met with many of the most senior computer people in the private sector. Security is job number one. Some have created free software to alert you if you need a patch. For the federal government, there is now a GSA [General Services Administration] contract to do patch management for the government,” he shares.
Schmidt is referring to a contract awarded to Science Applications International Corporation (SAIC) for one base year and four one-year options to provide support to the Federal Computer Incident Response Center (FedCIRC) under the SAFEGUARD program. FedCIRC will serve as a central point for federal agencies to receive notification of pending software patches that correct known vulnerabilities. Follow-up notifications will be provided when the patches are received and validated. SAIC’s offering includes technology from Vigilinx Digital Security Solutions.
Government agencies have a lot at stake with regard to securing their systems. The Government Information Security Reform Act (GISRA), signed into law in 2000, requires annual agency program reviews, inspector general evaluations and agency reports to the Office of Management and Budget (OMB). In addition, OMB must submit to Congress summaries of agencies’ reports as part of the budget process beginning in 2001. Schmidt explains that in effect GISRA means that if a department wants its information technology budget approved, it must document that an information security plan is part of it. “There are some real incentives out there now,” he states.
But equipment is only part of the government’s information assurance surge. Training is another element Schmidt identifies as vital to addressing the vulnerability issues. Education goes beyond systems administrators and government computer users in his view. It is about getting the word out to every computer user—both professional and occasional—about the importance of staying safe online. He relates that in shopping online during the past seven years, his credit card information has never been comprised; however, the information has been stolen while using a credit card in traditional stores. “If a bank were to say that I am responsible for more than $50 in charges, there would be a move to make sure it was secure. With the training of people, there are too many moving parts. The same people who have their VCRs flashing at 12 o’clock are the ones who are using computers.
“We are working with community colleges to get the word out about how to be more secure. We have a Web site that is easy to read so users don’t need a computer science degree to understand it. We are working with elementary schools to make security part of their curriculum. We are really an entrepreneurial organization,” he says.
The Web site Schmidt is referring to is http://www.staysafeonline.info, sponsored by the National Cyber Security Alliance. The alliance is a partnership between the federal government and leading private-sector companies. Its goal is to raise citizens’ awareness of the crucial role that computer security plays in protecting the nation’s Internet infrastructure and to encourage all computer users to protect their home and small business systems.
The site includes beginner’s guides, hot links to security sites and a self-test that evaluates a visitor’s security knowledge and practices. In the site’s first month of operation, it received more than 2 million hits, and alliance membership doubled with more than 40 companies joining the group.
Schmidt emphasizes that information assurance personnel working to secure cyberspace were dedicated to the effort long before September 11. Since that time, work has accelerated. “For the CIPB, this is not a new issue. We all work together—people, processes and technology,” he states.
Although much of the board’s work involves facilitating government and private-sector collaboration, its efforts have not stopped there. To help develop the national strategy to protect cyberspace, the Critical Infrastructure Assurance Office published 53 questions on the Internet that were chosen by the CIPB to obtain input from small businesses, large companies and home users alike. A deadline for input was set as last April; however, the questions are still available and comments continue to be welcome.
Ideas are being sought on topics that range from awareness and assistance to disclosure of risk by ISPs and hardware or software vendors. The survey also invites comments about who should be responsible for security in an organization, the role of the board of directors and security breach reporting.
In addition to the questionnaire, the board sponsored four town meetings at various locations across the United States. To ensure public participation, the events were widely publicized. Schmidt says the purpose of the meetings was to solicit citizens’ ideas and concerns about computer systems. The meetings were conducted as open forums that began with very brief presentations made by experts followed by an opportunity for audience members to express their opinions.
“Some of them [meeting participants] talked about different types of technology they own that they think the government can use. They suggested holding vendors accountable for making more secure products. They asked if there was enough technology in the hands of law enforcement agencies so they could investigate crimes. They wondered about network configuration and wanted to know how to better protect themselves and their computers while online. The input will become part of the national strategy,” Schmidt shares, adding that attendees also were concerned about privacy.
“This is not just a piece of technology. Everyone is part of cyberspace. Everybody has to do his or her part to secure cyberspace,” he says.
Additional information on protecting information systems is available on the World Wide Web at http://www.staysafeonline.info, and information on the National Strategy to Secure Cyberspace is available at http://www.securecyberspace.gov.
Bundled Requirements, Bundled Solutions
U.S. government agencies will receive new security options that will simplify their efforts in information assurance. When work is completed, which could be as soon as early fiscal year 2003, departments will be able to select and adopt a designated security level for their organization without shopping around among hundreds of vendors.
Although information protection always has been of concern to agencies, today’s volatile environment heightens the urgency to get security right. First, cyberspace is yet another battlefield where adversaries can launch an attack or gather intelligence. Second, recent changes in federal budgeting procedures now require that all departments demonstrate that their systems are secure before they receive funding.
The General Services Administration/Federal Technology Service (GSA/FTS) is developing an approach that will help agencies meet these challenges. John C. Johnson, assistant commissioner for service development, GSA/FTS, says that although his group has offered security tools for some time, recent work will make it easier for government personnel to find the solution that meets their needs.
“The service development organization that I run is responsible for leading FTS strategic planning, refinement of technology and next-generation services. Our research found that customers are looking for a greater selection, and that’s why we have such a broad array of services.
“They also need simpler delivery methods to give them more time to focus on their own missions. We’re continuing to align a strategy,” he offers.
Johnson points out that the organization has always addressed three key issues: selection, savings and simplicity. Now, it is adding a fourth component: security. It will be offered in a different, more coordinated way.
Numerous discussions with other government officials about information security revealed that the ultimate approach to security would be a totally private network, also called an air gap network. This approach would provide almost total immunity against cyberattacks. Work on this network continues; however, in the meantime, a more immediate solution is required, Johnson states.
To address this need, Johnson’s group assembled a team made up of representatives from approximately 15 agencies to discuss various ways to meet users’ needs. Multitier security profiles (MTSP) are the result of this evaluation. “These are increments of security that can be implemented within the networks. They are somewhere between what we have today and totally air-gap solutions,” he relates. As a result, FTS services can provide improved security, reliability and survivability and bring value-added services to meet emerging needs, he adds.
Requirements for a total of four tiers have been developed that provide different levels of security. Tier one is standard service and offers protections for basic Internet connectivity for nonmission systems or noncritical operations. Tier two is a protected service, similar to the sensitive but unclassified communication systems used by the military.
The third tier is a high assurance service for customers who deal in extremely sensitive information. These would include federal law enforcement and cyberincident reporting agencies. In addition, this level of security might be needed for interagency collaboration. Tier-three connectivity would occur using approaches approved by the National Security Agency.
The final tier would offer the highest level of security. Although each tier must comply with certain government standards, systems with a tier-four level of security still would not be connected to those using lower levels of security.
Unlike the U.S. Defense Department’s nonsecure and secure Internet protocol router networks, which are owned and operated by the government, security solutions offered for each tier will be commercial offerings, Johnson says. This is an important feature, he adds, because agencies are of different sizes and have different needs. The Defense Department’s approach is somewhat rigid; the MTSP approach addresses specific concerns but also meets the needs in the gray areas, he explains.
GSA/FTS already has contracts established with several companies, and work on developing appropriate solutions for each tier will be conducted by them. At a meeting with these firms, GSA/FTS outlined the requirements for each tier and asked them to design a plan for any or all of the tiers. The next step is modifying original contacts to include these solutions. Solutions can be unique as long as they meet the functional requirements, Johnson states.
As companies present their solution ideas, GSA will evaluate them and determine the costs. Providing savings to agencies continues to be an important goal for GSA/FTS, he says.
Once the security tools have been identified, the next step from FTS’ point of view will be testing and certification. This process will ensure that customers receive what they want, he says. In addition, a re-certification process will most likely be put into place to confirm that companies continue to provide an acceptable level of products and services.
Tier requirements address network security only. Individual and groups of users at each agency would still be responsible for ensuring that they comply with the tiered services and that their own systems are protected, Johnson explains.
Because work on this project is still underway, a deadline for offering the tiered solutions has not been published. However, Johnson says that at least some of the capabilities should be available within the next six months.