CSIA: US Government weak on cybersecurity in 2005
By Patience Wait and Wilson P. Dizard III
GCN Staff
The Homeland Security Department has made sustained progress in improving cybersecurity in priority areas, but a lot of work remains to be done, according to an advocacy group of IT vendors and a DHS official.
Andy Purdy, acting director of DHS’ National Cyber Security Division, held a briefing to field questions about an industry trade association’s report card that gave the department poor grades on cybersecurity.
According to the report card released yesterday by the Cyber Security Industry Alliance, the federal government failed to make much progress in securing its information systems in 2005, nor did it do much to encourage industry to strengthen its own IT security.
The CSIA graded the government’s actions over the course of the past year on 12 recommendations the organization made a year ago to improve information security.
In its harshest evaluation, CSIA gave the government an F on its National Information Assurance Partnership program, a joint effort by the National Institute of Standards and Technology and the National Security Agency, to establish cybersecurity certification standards.
“[By] offering an F on NIAP, trying to shine a light on this, we might get senior-level government officials to say, ‘Why haven’t we made progress on this?’” said Paul Kurtz, executive director of CSIA. “The problem has been in leadership and execution, on a continual basis, since the president’s national strategy was issued three years ago.”
The association gave the government six D grades in areas such as increasing research and development funding for cybersecurity, strengthening information-sharing efforts and promoting stronger information security governance in the private sector.
The creation of a new DHS post—assistant secretary for cybersecurity and telecommunications—only rated a C on CSIA’s scorecard because the position, created in July as part of Homeland Security secretary Michael Chertoff’s reorganization plan, remains vacant.
Purdy said the department is working closely with the White House to select the right person.
“We don’t want to rush it,” he said. He promised that “sometime in the coming months,” an appointment would be announced.
The one bright spot on CSIA’s report card was a B, awarded for the Senate Foreign Affairs Committee’s favorable reporting out on the ratification of Europe’s Convention on Cyber Crime.
Rep. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, agreed with CSIA’s assessment of the state of the government’s cybersecurity policy.
“Where is the government’s leadership on cybersecurity? How long will the nation have to wait?” Thompson said in a statement. “I, for one, hope Chertoff doesn’t wait until a cyberattack causes billions of dollars in damages or results in lost lives before he decides to appoint an assistant secretary to take charge of our nation’s cybercrisis.”
In addition to evaluating progress over the past year, CSIA issued a set of 13 recommendations for the upcoming year. While some recommendations carried over, the association added several new ones, including a call to Congress to pass legislation on data breach notification and spyware protection; to ensure cybersecurity measures be taken to protect the health care information infrastructure; and to include information security planning in government plans to transition to IPv6.
“We’re trying to be constructive,” Kurtz said. “For those who might make the argument that we’re a bunch of vendors trying to sell more products, look at the issues—it’s about having the right policies, having the right people in place.”
GCN Staff
The Homeland Security Department has made sustained progress in improving cybersecurity in priority areas, but a lot of work remains to be done, according to an advocacy group of IT vendors and a DHS official.
Andy Purdy, acting director of DHS’ National Cyber Security Division, held a briefing to field questions about an industry trade association’s report card that gave the department poor grades on cybersecurity.
According to the report card released yesterday by the Cyber Security Industry Alliance, the federal government failed to make much progress in securing its information systems in 2005, nor did it do much to encourage industry to strengthen its own IT security.
The CSIA graded the government’s actions over the course of the past year on 12 recommendations the organization made a year ago to improve information security.
In its harshest evaluation, CSIA gave the government an F on its National Information Assurance Partnership program, a joint effort by the National Institute of Standards and Technology and the National Security Agency, to establish cybersecurity certification standards.
“[By] offering an F on NIAP, trying to shine a light on this, we might get senior-level government officials to say, ‘Why haven’t we made progress on this?’” said Paul Kurtz, executive director of CSIA. “The problem has been in leadership and execution, on a continual basis, since the president’s national strategy was issued three years ago.”
The association gave the government six D grades in areas such as increasing research and development funding for cybersecurity, strengthening information-sharing efforts and promoting stronger information security governance in the private sector.
The creation of a new DHS post—assistant secretary for cybersecurity and telecommunications—only rated a C on CSIA’s scorecard because the position, created in July as part of Homeland Security secretary Michael Chertoff’s reorganization plan, remains vacant.
Purdy said the department is working closely with the White House to select the right person.
“We don’t want to rush it,” he said. He promised that “sometime in the coming months,” an appointment would be announced.
The one bright spot on CSIA’s report card was a B, awarded for the Senate Foreign Affairs Committee’s favorable reporting out on the ratification of Europe’s Convention on Cyber Crime.
Rep. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, agreed with CSIA’s assessment of the state of the government’s cybersecurity policy.
“Where is the government’s leadership on cybersecurity? How long will the nation have to wait?” Thompson said in a statement. “I, for one, hope Chertoff doesn’t wait until a cyberattack causes billions of dollars in damages or results in lost lives before he decides to appoint an assistant secretary to take charge of our nation’s cybercrisis.”
In addition to evaluating progress over the past year, CSIA issued a set of 13 recommendations for the upcoming year. While some recommendations carried over, the association added several new ones, including a call to Congress to pass legislation on data breach notification and spyware protection; to ensure cybersecurity measures be taken to protect the health care information infrastructure; and to include information security planning in government plans to transition to IPv6.
“We’re trying to be constructive,” Kurtz said. “For those who might make the argument that we’re a bunch of vendors trying to sell more products, look at the issues—it’s about having the right policies, having the right people in place.”
Comments