Tech Group Blasts Federal Leadership on Cyber-Security

By Brian Krebs Staff Writer
Tuesday, December 13, 2005; 5:50 PM

A group of leading technology companies today chastised Congress and the Bush administration for what it characterized as a failure to support initiatives to fight online crime, saying a lack of leadership and accountability in this area is endangering U.S. economic and national security.

The Cyber Security Industry Alliance said the federal government has largely declined to act on recommendations the group outlined a year ago, goals that mirrored policies originally set forth in early 2003 by the White House in the "National Strategy to Secure Cyberspace."

Cyber-security as a government priority "has been on a downward slope and we need to arrest that decline and bring the issue back to the level [of importance] it was a few years ago," said Paul Kurtz, a former Bush administration cyber-security official who serves as chief executive of the alliance. The group's members include such tech titans as Computer Associates, Entrust, McAfee, RSA Security and Symantec.

The industry-led criticism comes as the problem of computer- and Internet-based crime has reached an all-time high. A U.S. Treasury official said earlier this month that profits that online crooks are earning through computer crime now rivals that of the global trade in illegal narcotics. Earlier this year, federal investigators acknowledged that a series of computer break-ins at several government and defense technology contracting companies led to the theft of sensitive documents and intellectual property by Chinese hacker groups and other foreign governments.

Among the failures cited by the alliance was the lack of a high-level executive branch official charged with overseeing efforts to secure government systems and encourage the sharing of information between government and the private sector on new information security threats.

Last year, Congress directed the Department of Homeland Security to create such a position within the agency, but the White House has yet to name a candidate for the post.

The alliance said funding for cyber-security research and development has remained flat at less than two percent of the federal R&D budget this year, even though the president's Information Technology Advisory Committee issued a report last February, "Cyber Security: A Crisis of Prioritization," concluding that while the U.S. information infrastructure remains highly vulnerable to terrorist and criminal attacks, there is little federal budgetary support for research to protect the digital infrastructure used by the U.S. government and private sector. The White House dissolved the advisory council without explanation just a few months after that report was issued.

In addition, the alliance noted that the administration's budget for DHS-led cyber-security programs was cut by seven percent this year. The cuts came after the Department of Homeland Security led a list of seven agencies that received flunking grades for their cyber-security efforts in 2004, with the federal government at large earning an overall grade of "D-plus" from a key congressional oversight committee.

James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies in Washington, said many in the private sector are growing weary with the federal government's lackluster response to the national cyber strategy.

"It's getting kind of old that we're not making progress," Lewis said.

Industry leaders also expressed frustration over the National Information Assurance Partnership (NIAP), a collaboration between the National Institute of Standards and Technology and the National Security Agency to test the security and reliability of commercial software destined for use in federal information systems. Software vendors have long complained that the NIAP certification process is unnecessarily lengthy and costly. The Department of Defense and DHS recently concluded a study of the program's effectiveness, but those findings have not yet been released to the public.

Alan Paller, director of research for the Bethesda, Md.-based SANS Institute, said some federal agencies deserve praise for using their buying power to convince hardware and software vendors to deliver more secure products. But Paller said he's become alarmed at the culture of secrecy that has paralyzed the government from taking action to correct serious security vulnerabilities that remain widespread in federal government networks.

CONTINUED     1        >

© 2005 The Washington Post Company