washingtonpost.com  > Technology > Tech Policy > Cybercrime

Cyber-Security Coordination Lacking, Senators Contend

Government Urged to Establish Lead Role

By Jonathan Krim
Washington Post Staff Writer
Wednesday, February 25, 2004; Page E05

Two senior U.S. senators yesterday sharply questioned the federal government's strategy for defending critical corporate and government computer systems from attacks by terrorists and hackers.

Sen. Jon Kyl (R-Ariz.) expressed surprise and frustration when a Department of Homeland Security official testified that his agency has not compiled a comprehensive analysis of vulnerabilities to cyber-attacks.

Sen. Diane Feinstein (D-Calif.), left, said leaving cyber-security to private corporations might not work. (Rebecca D'Angelo -- For The Washington Post)

New Windows Patch Proves Tricky (washingtonpost.com, Oct 1, 2004)
How to Protect Your PC Against the Latest Microsoft Flaw (washingtonpost.com, Oct 1, 2004)
Danger of Image-Borne Viruses Looms (washingtonpost.com, Sep 23, 2004)
More Security News
_____Government IT News_____
Johnson Will Retire Nov. 1 as CACI's No. 2 Executive (The Washington Post, Oct 1, 2004)
The States and Information Technology (Live Online, Sep 30, 2004)
No-Bid Defense Contracts Found to Be Common (The Washington Post, Sep 30, 2004)
More Government IT News

Kyl said the number of security intrusions reported to the Internet security coordination center at Carnegie Mellon rose from 84,000 in 2002 to 137,000 in 2003, some causing millions of dollars in damages.

Amit Yoran, who heads the department's cyber-security division formed last year, said the Department of Homeland Security takes an integrated approach to all terrorist threats and does not look at computer vulnerabilities in isolation.

After repeated questions from Kyl, Yoran said a national intelligence estimate on cyber-terrorism is due in the next two weeks, though it will likely be classified and it is not clear what topics it will cover. Such evaluations typically include estimates of the capabilities, vulnerabilities and probable responses to threats to the United States.

Asked by Sen. Dianne Feinstein (D-Calif.) whether his department has issued any directives to other federal agencies about improving security, Yoran responded that he works closely with them.

"I take it the answer is no," said Feinstein, the only other senator to appear at the hearing of the Judiciary subcommittee on terrorism, technology and homeland security, which Kyl heads.

Feinstein said she is especially concerned about the Bush administration's approach to corporations, which own or operate more than 80 percent of the Internet's infrastructure. In a national strategy to secure cyberspace issued a year ago, the administration imposed several guidelines on federal agencies to better secure their systems, but largely left the private sector alone, directing DHS to form a public-private partnership to tackle the issue.

Since then, Yoran's division has been working with various industry trade groups to develop strategies to improve public education, make security a corporate governance priority and improve software development.

"My concern is that we don't take cyber-terrorism as seriously as we should," Feinstein said. "The strategy is to leave most of this to the private sector. I'm not sure, long term, that this is going to work."

Several cyber-security experts are critical of the administration's approach, saying software and infrastructure vulnerabilities have been known for years. These experts are pushing the government to use its buying clout to force software makers to improve their products, among other measures.

At the hearing, Howard A. Schmidt, a former White House cyber-security adviser and now chief information security officer at eBay Inc., defended corporate executives as dedicated to security and best equipped to determine technical solutions.

© 2004 The Washington Post Company