‘Cyber Pearl Harbor Could Be Worse Than 9/11,’ Davis Says
Few entities escaped the scorn of House Govt. Reform Committee Chmn. Davis (R-Va.) in a keynote -- alternately harsh and humorous -- to a Thurs. Information Technology Assn. of America (ITAA) workshop. From federal agencies to graduate schools, cybersecurity “has just not been a priority,” Davis said, bemoaning the persistence of “analog government” in the “digital economy.” With hostile groups able to launch cyberattacks from anywhere, “a cyber Pearl Harbor could be worse than 9/11,” Davis warned.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
As oil was to the 20th century, IT is to the 21st, Davis said. He cited oil-poor Jordan, the Middle East’s fastest growing economy thanks to IT investments and legal changes on intellectual property. Internet uses like online tax filing are “so commonplace now that we take them for granted” -- forgetting their vulnerability to hackers, hostile govts. and identity thieves, especially via mobile computing, Davis said.
Davis defended his committee’s harsh grading of major agencies on its annual Federal Information Security Management Act (FISMA) report card (WID March 17 p4). The Office of Personnel Management and other small departments did well, but DoD, Homeland Security, DoJ and State “continue to rank at the bottom of the grades,” Davis said: “I don’t go out and just give these grades arbitrarily,” noting they're based on govt.-wide audits by GAO. He said “failing agencies” were among FISMA’s biggest critics. But agencies getting high marks “can’t risk complacency,” he said: “We want to avoid a checkbox mentality” that treats “compliance” as acceptable.
Agency responses to committee queries on breaches range from reports of one laptop lost to thousands, Davis said. The Census Bureau and Commerce Dept. can’t account for 1,100 laptops, 1/2 signed out to employees who have left, he said. The Army told Davis this week it lost a laptop with Social Security numbers for 4,600 ROTC applicants; the loss hasn’t been reported outside southern Va., where it happened. Davis’s amendment (HR-6163) to the House-passed VA bill would require timely notice to people possibly affected by an agency breach. It’s far from the worst news for President Bush, Davis warned: If Democrats take Congress this election, “it doesn’t get any prettier for the Administration.”
Davis’s committee faces barriers to deeper engagement with cybersecurity, he said. Breaches may involve classified data -- the Intelligence Committee bailiwick, he said, noting that House Govt. can get only so much information with its clearances. The 2 committees are in “discussions” on cybersecurity oversight. A bigger issue, if House control changes, Davis said: The likelihood Rep. Hastings (D-Fla.), an impeached federal judge close to House Minority Leader Pelosi (D-Cal.), will edge out Ranking Member Harman (D-Cal.), reportedly on Pelosi’s bad side, for the Intelligence chair.
Davis’s fellow Republicans in the White House came in for criticism on poor information sharing. Davis wrote a report highly critical of the Bush’s response to Hurricane Katrina: “We've got to stop waiting for the disaster that meets our response plans” and devise an “entrepreneurial model” that guards against dangers in real time. Don’t expect the Senate to be part of the solution, Davis said. He called that body “dysfunctional” but admitted to hoping to join it in a few years. Attachments to appropriations bills will remain the “vehicles of change” for legislation in the Senate, he said.
Asked about leaks of classified information for political purposes, Davis softened, calling one person’s leak “another man’s revelation of wrongdoing.” Congress has tried to devise narrow whistleblower legislation, but technology outpaces law. “Nowadays everybody’s got a channel,” he said. “We're going to have to come back and rethink” how to judge leaks. -- Greg Piper
ITAA Notebook…
The govt. has had luck in recent breaches but can’t assume that luck will hold, OMB E-Govt. & IT Administrator Karen Evans told the ITAA workshop. If the laptop with 26 million veterans’ profiles stolen from the VA hadn’t been recovered, with no evidence of data misuse, the govt. would have incurred $540 million in credit monitoring costs, she said. “There’s an even greater responsibility” for agencies than the private sector owing to civic duty, Evans said: “You can’t just choose not to file your taxes” in hopes of avoiding a data breach of tax information. She warned contractors that they're under the same rules when they work for the govt. and will be reviewed by inspectors general for their govt. work. The Bush Administration always has deemed cybersecurity a priority, she said, recently elevating personally identifiable information (PII) into its own category for security reporting purposes. Data compromises must be reported within an hour after PII breaches are discovered; agencies reported 338 separate incidents to OMB from late spring, when the rule changed, to Sept. 30, Evans said. Preliminary reports from agencies on Federal Information Security Management Act (FISMA) compliance last fiscal year indicate 88% have their IT systems certified and accredited, 78% are testing contingency plans and 19 are verifying weaknesses in remediation -- slight improvements from the previous year. Agencies have latitude in adopting security controls for PII, Evans said. They might start by evaluating whether so many employees need freedom to take IT products from a building or log in remotely -- or just buy $17 encrypted jump drives at Target, as Evans said she did for her children recently. Agencies should ask staff whether they need to carry so much data around, especially Social Security numbers, she said: “It’s nice for the IT people for us to use [SSNs] as a primary key… but is it really necessary?” -- GP
--
The govt. can’t adopt the “software as a service” tack sweeping business without risking public outcry, an IBM official told the ITAA conference. The model refers to software hosted on company servers customers remotely access, to simplify deployment and cut costs. “We've definitely looked at a lot of these,” said Anthony Nadalin, chief security architect for IBM Software Group. But under that setup, govt. data may reside on the same servers as 50,000 other customers’ data, boosting risks a breach involving one customer will hit the rest, he said. The public will blame the govt. for not running its own software, Nadalin said. Software security remains driven mostly by the commercial market, not DoD or civilian agencies, said Michael Love, Computer Sciences Corp. asst. gen. counsel. Agency security needs vary wildly, he said: “It is not one market force,” and won’t be until a govt.-wide “czar” is created for information security. The govt. can influence software security for the better by setting minimum standards forcing contractors hoping to do govt. business to create new systems or change old ones, Love added. OMB’s recent orders on information security have problems, said Bruce Walker, vp-strategic planning for DHS at Northrop Grumman. “Vendor/solution neutrality” -- requiring products acquired be interoperable with other vendors’ goods -- ignores the “legacy environment,” he said. Domain-specific security requirements often override planned implementation of new systems, Walker added. Agencies may use off-the-shelf software in ways inconsistent with its broader commercial use, or hide relevant details about the “intended operational environment” from vendors, then complain about implementation hassles, he said.