17 June 2005

DHS: GAO Report on Cyber Security...

The GAO report on the Department of Homeland Security's (DHS) Cyber Readiness is now out. The GAO Report Highlights are nothing new.

CNET'S Charles Cooper's commentary on the subject is to say the least, tired.

Will any of this light a fire in Washington? As a political issue, cybersecurity rarely leads the evening network newscasts. New legislation to establish the weighty-sounding position of Assistant Secretary for Cybersecurity may help. So might the passage of the DHS Cybersecurity Enhancement Act of 2005. (Money and authority never hurt.)

But a drumbeat of criticism nonetheless is growing in response to current events.

Maybe the new blood at DHS will take the criticism to heart and order a recalibration, because there's no time to waste. More than 1,000 new worms and viruses were discovered in the last six months alone. What's more, networks will run into more complex worms and viruses--some of which will be deployed by politically motivated hackers--in 2005 and beyond.

The point is valid yet the private sector is the one who is ultimately responsible for their own risk management and mitigation when it comes to protecting vital systems and networks. They already know this and don't expect the DHS or the government in general to be able to do much about the threat. Afterall, look how resilient the Internet has become. The measures taken in design, redundancy and failover is already a proven factor. What isn't proven is that each private sector company who has responsibility for the economic security of our nation has an "A" on their report card.

The fact is that when it comes to Information Technology, we are just bad housekeepers. It's complexity is part of the issue, the other is that the majority just don't have any clue what goes in to making it all work, 24/7. When you take the laptop home on the weekend and let the kids surf on AOL with it you are setting up your company for more house work back at the corporate shop. Insider threats from spyware and malicious code caused by plugging that laptop back in to the corporate network have been slowed, yet everyday the "Help Desk" rings with dozens if not hundreds of issues like this.

The DHS doesn't have a priority on stemming the tide of these script kiddies using tools like Metasploit. They have a priority on finding, arresting and prosecuting the few that are stealing Intellectual Property, Personal ID's, and government secrets. We can only hope that Congress gives them more resources to make a real difference.

No comments:

Post a Comment