Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Information Security News: Congress slams Homeland Security's tech efforts

Congress slams Homeland Security's tech efforts

From: InfoSec News <alerts_at_infosecnews.org>
Date: Thu, 14 Sep 2006 01:11:20 -0500 (CDT)

http://news.com.com/Congress+slams+Homeland+Securitys+tech+efforts/2100-1028_3-6115434.html

By Anne Broache
Staff Writer, CNET News.com
September 13, 2006

WASHINGTON--The U.S. Department of Homeland Security on Wednesday
sustained more bashing of its cybersecurity efforts from politicians and
government auditors.

In what has become a familiar refrain, a chorus of Republicans and
Democrats--all from the U.S. House of Representatives panel on
telecommunications and the Internet--urged the agency to get its act
together and appoint a long-awaited cybersecurity czar.

Then, at a sparsely attended afternoon hearing here, members of the
House of Representatives' Homeland Security panel grilled department
officials about shortcomings in the Homeland Security Information
Network, which was intended to ease sharing of counterterrorism
information among federal, state and local investigators.

During the morning hearing, politicians voiced dismay at the
unsurprising findings of a Government Accountability Office report
(click for PDF [1]) that was released Wednesday and that had been
prepared at the committee's request.

"Both government and the private sector are poorly prepared to
effectively respond to cyberevents," David Powner, the GAO's director of
information technology management issues, told the politicians.
"Although DHS has various initiatives under way, these need to be better
coordinated and driven to closure."

The Department of Homeland Security, which is chiefly responsible for
coordinating responses to cyberattacks, also has no concrete plan for
responding to cyberdisasters in partnership with the private sector,
Powner said.

The department's Under Secretary for Preparedness George Foresman
adopted a defensive posture throughout the two-hour hearing, which also
included testimony from the Federal Communications Commission and
private sector representatives. A similar slate of witnesses, including
Foresman, was scheduled to testify on the subject before a House
Homeland Security panel on Wednesday afternoon.

Foresman emphasized that finding someone to fill the post of assistant
secretary for cybersecurity and telecommunications remains a "top
priority" for the department. The post has been vacant since its
creation in July 2005, a situation that has drawn a rash of criticism
inside and outside the government.

"We are in the final stages of a security process review for a candidate
we feel is very well-qualified," he said. "We look forward to announcing
this candidate with Congress very soon."

For a number of politicians, that assurance wasn't good enough. "To have
gone this long without any attention to this or without having someone
direct this part of the orchestra is dangerous for this country, I
think, in plain English," said Rep. Anna Eshoo, a California Democrat.
"I'm not one to try to hype up fear and all that, but we've placed
outselves in a real ditch here by not having the administration name
someone."

Foresman said he would "strenuously object" to the insinuation that
department has been sitting idle while the post has remained vacant.
"Had we been in neutral the entire time, I think there would be a grave
concern, but I think we have been in overdrive all the time," he said.

One example of an action the department has taken was a weeklong mock
attack called Cyber Storm, he said. The agency on Wednesday released a
17-page "after-action report" assessing the results of the February
exercise, which involved more than 100 public and private agencies,
associations, and corporations from more than 60 locations across five
countries.

Among the challenges experienced during the exercise, according to the
report, are an insufficient number of "technical experts" on board to
"fully leverage the large volume of incident information that was being
provided;" difficulty figuring who to call within organizations to seek
help during crises; and lack of a rapid means to assess and
prioritize--or "triage"--cyber incidents.

Terrorist cyber-attacks?

Fresh off commemorations of the fifth anniversary of the Sept. 11
attacks earlier this week, some members at the morning hearing seemed
particularly alarmed by the specter of terrorist-driven cyberincidents.

"Certainly cyberterrorism is something that is likely to be in
al-Qaida's playbook, and we should be vigilant against such threats,"
said Rep. Edward Markey, a Massachusetts Democrat who serves as
co-chairman of the panel.

"Some people probably think they're exempt from the impact of the
Internet, but you'd almost have to live in a cave to be truly
unaffected," added Texas Republican Joe Barton, who serves as chairman
of the influential House Energy and Commerce Committee. A widespread
disruption on that front, he quipped, "is exactly the outcome envisioned
by a man who does live in a cave: Osama bin Laden."

That theme continued in the afternoon hearing, convened by a House panel
on intelligence, information-sharing and terrorism risk assessment.

"If we are not successful in our information-sharing efforts, then we
are not going to be successful in connecting the dots to protect our
people and our nation from the possibility of additional attacks,"
said Connecticut Republican Rob Simmons, the panel's chairman.

The focus of concern was a June 2006 report (click for PDF [2]) from the
department's Inspector General's Office that found the agency's
information-sharing network was not performing as intended.

The Department of Homeland Security's Assistant Inspector General Frank
Deffer outlined a number of those flaws. They included an overly rushed
schedule for rolling out and expanding the system after DHS inherited
control of it in 2003; inadequate training and guidance for users on how
to use it; general mistrust for the secrecy of information shared
through the portals; and lack of availability of real-time information
about situations.

During the 2005 London Underground bombings, for instance, "users were
able to get better information faster by calling personal contacts at
law enforcement agencies with connections to the London police than by
using the system," Deffer said. As a result, the system has very few
active users, he said.

"Taxpayers really should be outraged by what's happened here," Rep.
Zoe Lofgren, a California Democrat, said of the $50 million undertaking.
"The program is not only a model of haste and waste, but it's a missed
opportunity to do things right."

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.

[1] http://www.gao.gov/new.items/d061100t.pdf
[2] http://www.dhs.gov/interweb/assetlibrary/OIG_06-38_Jun06.pdf

_________________________________
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/
Received on Sep 13 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]