By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, December 13, 2005 5:50 PM
A group of leading technology companies today chastised Congress and the Bush administration for what it characterized as a failure to support initiatives to fight online crime, saying a lack of leadership and accountability in this area is endangering U.S. economic and national security.
The Cyber Security Industry Alliance said the federal government has largely declined to act on recommendations the group outlined a year ago, goals that mirrored policies originally set forth in early 2003 by the White House in the "National Strategy to Secure Cyberspace."
Cyber-security as a government priority "has been on a downward slope and we need to arrest that decline and bring the issue back to the level [of importance] it was a few years ago," said Paul Kurtz, a former Bush administration cyber-security official who serves as chief executive of the alliance. The group's members include such tech titans as Computer Associates, Entrust, McAfee, RSA Security and Symantec.
The industry-led criticism comes as the problem of computer- and Internet-based crime has reached an all-time high. A U.S. Treasury official said earlier this month that profits that online crooks are earning through computer crime now rivals that of the global trade in illegal narcotics. Earlier this year, federal investigators acknowledged that a series of computer break-ins at several government and defense technology contracting companies led to the theft of sensitive documents and intellectual property by Chinese hacker groups and other foreign governments.
Among the failures cited by the alliance was the lack of a high-level executive branch official charged with overseeing efforts to secure government systems and encourage the sharing of information between government and the private sector on new information security threats.
Last year, Congress directed the Department of Homeland Security to create such a position within the agency, but the White House has yet to name a candidate for the post.
The alliance said funding for cyber-security research and development has remained flat at less than two percent of the federal R&D budget this year, even though the president's Information Technology Advisory Committee issued a report last February, "Cyber Security: A Crisis of Prioritization," concluding that while the U.S. information infrastructure remains highly vulnerable to terrorist and criminal attacks, there is little federal budgetary support for research to protect the digital infrastructure used by the U.S. government and private sector. The White House dissolved the advisory council without explanation just a few months after that report was issued.
In addition, the alliance noted that the administration's budget for DHS-led cyber-security programs was cut by seven percent this year. The cuts came after the Department of Homeland Security led a list of seven agencies that received flunking grades for their cyber-security efforts in 2004, with the federal government at large earning an overall grade of "D-plus" from a key congressional oversight committee.
James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies in Washington, said many in the private sector are growing weary with the federal government's lackluster response to the national cyber strategy.
"It's getting kind of old that we're not making progress," Lewis said.
Industry leaders also expressed frustration over the National Information Assurance Partnership (NIAP), a collaboration between the National Institute of Standards and Technology and the National Security Agency to test the security and reliability of commercial software destined for use in federal information systems. Software vendors have long complained that the NIAP certification process is unnecessarily lengthy and costly. The Department of Defense and DHS recently concluded a study of the program's effectiveness, but those findings have not yet been released to the public.
Alan Paller, director of research for the Bethesda, Md.-based SANS Institute, said some federal agencies deserve praise for using their buying power to convince hardware and software vendors to deliver more secure products. But Paller said he's become alarmed at the culture of secrecy that has paralyzed the government from taking action to correct serious security vulnerabilities that remain widespread in federal government networks.
"The only leadership I see right now on this issue in the federal government is in trying to hide attacks that have been successful," Paller said. "If senior management [in federal civilian agencies] can avoid letting the public know that the attacks are happening, they don't have an incentive to protect those systems."
Kurtz said the federal government deserves credit for making incremental progress on some cyber-security fronts, such as funding tests of the resiliency and security of critical digital networks that run the air traffic control system, power grids, financial systems and military and intelligence networks.
Kurtz also praised the Senate Foreign Relations Committee's recent recommendation that the full Senate vote on whether to ratify the Council of Europe's Convention on Cyber Crime, which he said should help U.S. law enforcement agencies better find and prosecute online crooks based abroad. Congress also is debating several consumer privacy and data breach notification bills intended to help consumers victimized by identity theft and online fraud.
Andy Purdy, acting director of the DHS's National Cyber Security Division, said his office is working with the White House to find the most qualified person for the new cyber-security post, but he cautioned that the job may remain unfilled for several more months.
"We believe the selection of that person -- in terms of the message it sends to help highlight the commitment of the administration to reducing cyber risk -- is a very important one and we don't want to rush it," he said.
Purdy said he believes the president's budget is sufficient to accomplish the goals laid out in the national strategy and acknowledged "the importance and seriousness of raising federal agency scores on internal cyber security.
"While the grades are not what we'd like to see, we believe there is sustained progress and we are encouraged by that progress and we are continuing to work closely with those agencies," Purdy said.
He also defended the administration's record on implementing key portions of the White House cyber-security strategy.
"We've made tremendous progress," Purdy said. "But we also recognize that in the need to formalize how we work with the private sector so that we can have the ongoing, sustained collaboration -- not just information sharing -- we have a long way to go."