Lawmakers see cyberterror vulnerability
Source: The Hill
By Sarah Lesher
Date: May 29, 2003
Lawmakers are charging that government agencies and industry are not doing enough to protect the country’s power plants, industries and financial institutions from the threat of cyberterrorism attacks.
At one recent hearing, House Science Committee Chairman Sherwood Boehlert (R-N.Y.) complained that “not nearly enough” research and development is underway.
He argued that government agencies have neither sought nor set aside adequate funding to implement the goals of the Cybersecurity Research and Development Act passed last fall.
He also complained that the newly formed Department of Homeland Security is not forcefully implementing the act and that the Pentagon’s Defense Advanced Research Projects Agency (DARPA), is reducing cyberterrorism funding.
His committee has pushed for cyberterrorism programs to be included in the Homeland Security Act as well as the Cybersecurity Research and Development Act, Boehlert said.
“The war against terrorism will be won as much in the laboratory as on the battlefield,” said Boehlert in a speech earlier this spring.
Witnesses and members at the recent hearing identified several stumbling blocks to improving the nation’s cyber security defenses.
Rep. Ralph Hall (D-Texas), the committee’s ranking member, raised two fundamental issues — lack of real data for estimating the size of the cyber security threat and the fact that the information infrastructure is largely in the hands of the private sector.
Both Reps. Brad Miller (D-N.C.) and Lamar Smith (R-Texas) echoed concerns about the private sector’s readiness.
And Arden Bement, director of the National Institute of Standards and Technology, pointed out vulnerabilities in the electric power grid and the computer systems that control it.
Rob Reeder, a researcher on computer security at Carnegie Mellon University who was not at the hearing, said in a later interview that detailed data on previous cyber attacks is essential for research on how to protect against them to proceed. But private companies are reluctant to release information on security penetrations because it could affect their corporate image and hence their bottom line.
Science committee staffers have noted that 80 to 90 percent of the country’s infrastructure is under private control. They stress the importance of getting that sector involved with efforts to combat cyberterrorism.
Information that the private sector shares with government agencies is available through the Freedom of Information Act (FOIA). Exemptions to FOIA were written into the Homeland Security Act, but because of concerns about freedom of the press, Sen. Patrick Leahy (D-Vt.) and others have introduced legislation intended to reduce some of them.
Earlier this spring, Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Technology Subcommittee, said there was a need for regulations that would force government and the private sector to deal adequately with cyber security. The subcommittee gave a failing grade last fall to all 24 civil federal agencies after a Government Accounting Office report in October.
Putnam’s subcommittee staffers have said recently that they are making site visits to private sector companies to assess its state of preparedness.
At a subcommittee hearing in April, Michael Vatis, then the director of Dartmouth’s Institute for Security Technology Studies and a former top cyberterrorism government official, said there was reluctance in both government and the private sector to deal effectively with the problem.
“We shouldn’t wait for a major infrastructure attack to occur before we take steps to truly learn the full scope of our vulnerability and to begin shoring up our weaknesses,” he said.
Testifying at the same hearing, former White House advisor on cyber security Richard Clarke said, “I think we want to avoid regulation” and a “cyber security police.”
But a few weeks later, members of a White House advisory group called the National Infrastructure Advisory Committee reluctantly concluded that regulation might be the best way to get some industries to implement better cyber security, as well as physical infrastructure security.
An alternative to government regulation is self-regulation through regional Information Sharing and Analysis Centers, set up during the Clinton administration to improve information sharing between the government and industry. But the confidentiality issue — the threat of having competitors aware of a company’s vulnerabilities — has made this problematic for many organizations.
The vulnerability of government nuclear secrets and private nuclear power plants has been raised in other hearings this year.
For example, the House Government Reform Committee’s National Security subcommittee chaired by Rep. Chris Shays (R-Conn.) raised the issue of the vulnerability of the Indian Point nuclear plant near New York City, as well as problems communicating with first responders. It has been suggested that a terrorist organization might amplify the effect of a physical attack on a plant by simultaneously disrupting its control systems and emergency response.
The central problem identified by DARPA Director Anthony Tether in last week’s Science Committee hearing is a shortage of new ideas.
“We’re more idea-limited than funding-limited,” Tether said.
Original article: http://www.hillnews.com/news/052803/cyberterror.aspx
^macro[showdigestcomments;^uri;Lawmakers see cyberterror vulnerability]