Thirty-three months after a presidential order mandated that government
agencies work to protect the United States' critical infrastructure, most
have merely taken a few baby steps toward securing the country's computers
and networks, according to a White House report.
The report found that the government has made progress in cementing
industry-government partnerships around critical technologies, securing
Department of Defense networks, and forming at least one education
initiative for training security personnel. But it noted that there is
still no way to locate and fix vulnerable critical systems and no means of
tracking the progress of the various departments' pursuits of cybersecurity.
"Achievements to date are notable, but there is still work to do," stated
the report, released a week ago by the Critical Infrastructure Assurance
On May 22, 1998, President Clinton signed Presidential Decision Directive
63, a rallying cry for the United States government to work with industry
to secure the country's critical computer systems from cyberattack. The
directive called for a national plan to protect such systems and periodic
reports of the progress made in securing the U.S. infrastructure.
The 209-page interim report--requested by Congress as part of a defense
appropriations bill passed last October--laid out, agency by agency, where
the United States stands. While the National Plan released a year ago seems
to be on track, most agencies are still in the information gathering stage.
In fact, in a survey released last September, the General Accounting Office
found that the vast majority of federal systems remained vulnerable to attack.
The CIAO report agreed. "More of the American economy has become dependent
on IT systems," it stated. "Those who have the skills and tools to disrupt
our networks and systems have also increased, in numbers and in
capabilities. Malicious individuals, criminal groups and nation states
present significant threats to U.S. information systems."
CIAO hopes to solve the major lack of information through a new initiative
dubbed Project Matrix. The project aims to identify key systems in the
government and identify how they could be attacked and what would happen in
the event of such an attack.
The project has so far red-flagged more than 4,000 physical and cyber
"assets" that will need to be protected among the 14 government
agencies--plus the military and intelligence communities--that have taken
part in the project to date. Fifty of the unnamed assets have been bumped
to the top of the critical list and given a green light for further
analysis because of their importance.
Not all agencies have taken part in the program, however. Both the
Securities and Exchange Commission and the Environmental Protection Agency
have only started to work with the Matrix analysis teams, while both the
Department of the Interior and Department of Transportation have remained
aloof, according to the report.
That makes the next three years a critical period, as networks become more
integrated and the threats more serious.
"While ongoing efforts continue to increase security on the nation's
current (information) systems, government and industry must insure that
security is designed into next-generation networks," the CIAO report stated.
"Economic growth, better government service and efficiency, and a stronger
defense are all possible in the years ahead if we continue to give a high
priority to securing cyberspace."