White House: U.S. still far from cybersecurity

In tandem with private industry, the government has made inroads into securing cyberspace, but the efforts have only laid a foundation.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Thirty-three months after a presidential order mandated that government agencies work to protect the United States' critical infrastructure, most have merely taken a few baby steps toward securing the country's computers and networks, according to a White House report.

The report found that the government has made progress in cementing industry-government partnerships around critical technologies, securing Department of Defense networks, and forming at least one education initiative for training security personnel. But it noted that there is still no way to locate and fix vulnerable critical systems and no means of tracking the progress of the various departments' pursuits of cybersecurity.

"Achievements to date are notable, but there is still work to do," stated the report, released a week ago by the Critical Infrastructure Assurance Office (CIAO).

On May 22, 1998, President Clinton signed Presidential Decision Directive 63, a rallying cry for the United States government to work with industry to secure the country's critical computer systems from cyberattack. The directive called for a national plan to protect such systems and periodic reports of the progress made in securing the U.S. infrastructure.

The 209-page interim report--requested by Congress as part of a defense appropriations bill passed last October--laid out, agency by agency, where the United States stands. While the National Plan released a year ago seems to be on track, most agencies are still in the information gathering stage.

In fact, in a survey released last September, the General Accounting Office found that the vast majority of federal systems remained vulnerable to attack.

The CIAO report agreed. "More of the American economy has become dependent on IT systems," it stated. "Those who have the skills and tools to disrupt our networks and systems have also increased, in numbers and in capabilities. Malicious individuals, criminal groups and nation states present significant threats to U.S. information systems."

CIAO hopes to solve the major lack of information through a new initiative dubbed Project Matrix. The project aims to identify key systems in the government and identify how they could be attacked and what would happen in the event of such an attack.

The project has so far red-flagged more than 4,000 physical and cyber "assets" that will need to be protected among the 14 government agencies--plus the military and intelligence communities--that have taken part in the project to date. Fifty of the unnamed assets have been bumped to the top of the critical list and given a green light for further analysis because of their importance.

Not all agencies have taken part in the program, however. Both the Securities and Exchange Commission and the Environmental Protection Agency have only started to work with the Matrix analysis teams, while both the Department of the Interior and Department of Transportation have remained aloof, according to the report.

That makes the next three years a critical period, as networks become more integrated and the threats more serious.

"While ongoing efforts continue to increase security on the nation's current (information) systems, government and industry must insure that security is designed into next-generation networks," the CIAO report stated.

"Economic growth, better government service and efficiency, and a stronger defense are all possible in the years ahead if we continue to give a high priority to securing cyberspace."