Two senior U.S. senators yesterday sharply questioned the federal government's strategy for defending critical corporate and government computer systems from attacks by terrorists and hackers.
Sen. Jon Kyl (R-Ariz.) expressed surprise and frustration when a Department of Homeland Security official testified that his agency has not compiled a comprehensive analysis of vulnerabilities to cyber-attacks.
Kyl said the number of security intrusions reported to the Internet security coordination center at Carnegie Mellon rose from 84,000 in 2002 to 137,000 in 2003, some causing millions of dollars in damages.
Amit Yoran, who heads the department's cyber-security division formed last year, said the Department of Homeland Security takes an integrated approach to all terrorist threats and does not look at computer vulnerabilities in isolation.
After repeated questions from Kyl, Yoran said a national intelligence estimate on cyber-terrorism is due in the next two weeks, though it will likely be classified and it is not clear what topics it will cover. Such evaluations typically include estimates of the capabilities, vulnerabilities and probable responses to threats to the United States.
Asked by Sen. Dianne Feinstein (D-Calif.) whether his department has issued any directives to other federal agencies about improving security, Yoran responded that he works closely with them.
"I take it the answer is no," said Feinstein, the only other senator to appear at the hearing of the Judiciary subcommittee on terrorism, technology and homeland security, which Kyl heads.
Feinstein said she is especially concerned about the Bush administration's approach to corporations, which own or operate more than 80 percent of the Internet's infrastructure. In a national strategy to secure cyberspace issued a year ago, the administration imposed several guidelines on federal agencies to better secure their systems, but largely left the private sector alone, directing DHS to form a public-private partnership to tackle the issue.
Since then, Yoran's division has been working with various industry trade groups to develop strategies to improve public education, make security a corporate governance priority and improve software development.
"My concern is that we don't take cyber-terrorism as seriously as we should," Feinstein said. "The strategy is to leave most of this to the private sector. I'm not sure, long term, that this is going to work."
Several cyber-security experts are critical of the administration's approach, saying software and infrastructure vulnerabilities have been known for years. These experts are pushing the government to use its buying clout to force software makers to improve their products, among other measures.
At the hearing, Howard A. Schmidt, a former White House cyber-security adviser and now chief information security officer at eBay Inc., defended corporate executives as dedicated to security and best equipped to determine technical solutions.