Security team in money crunch

Faced with a dwindling budget officials with the only governmentwide computer emergency response team (CERT) for civilian agencies are considering floating a proposal to levy a tax on agencies to fund security services for information technology systems. As the Federal Computer Incident Response Capability (FedCIRC) reported last month the number of security attacks on civilian agencies is increasing as the Internet expands. FedCIRC handled more than 244 federal agency security incidents between October 1996 and October 1997 many of which affected thousands of sites and host computers.

FedCIRC evaluates agency systems to pinpoint potential threats offers technical support to recover from unauthorized intrusions and offers training guidelines for agencies to improve security control. The Government Information Technology Services Board (GITSB) last year launched FedCIRC on $3.6 million which will last until September 1998. After that GITSB planned for FedCIRC to become self-sufficient by collecting subscription fees from federal agencies. Because many agencies remain unaware of the potential threat and impact of computer security incidents only six agencies have signed up for the service according to FedCIRC officials.

FedCIRC is evaluating several proposals to obtain funding to enable it to continue operations. One option is to propose to the Chief Information Officers Council that agencies be required to set aside a portion of their annual IT budgets to fund security response services said Patricia Edfors former GITSB champion for computer security and privacy. The proposal she said would be based upon the insurance model that businesses and citizens use to insure various assets. "This is identifying what your assets are figuring out how to calculate a percentage " Edfors said at FedCIRC's annual meeting last month. "How do we get the money to insure these assets? We are insuring these assets against destruction in a lot of cases."

FedCIRC program manager Marianne Swanson said the group has forwarded its updated business plan to the Office of Management and Budget with several options including the agency tax option and its plans to increase agency awareness of security threats.

Agencies may not be aware of potential security threats to their systems because many of those that experience a security breach to their systems never know the attacks occurred.

Of the 92 intrusion incidents to federal agency systems handled by FedCIRC less than 5 percent were recognized by the victims said FedCIRC's Richard Pethia manager of the networked systems survivability program of the CERT at Carnegie-Mellon University which handles FedCIRC incidents in the eastern United States. Those incidents involved 1 841 sites and 18 751 hosts according to FedCIRC statistics.

"Almost none of these things were detected by the federal civilian agencies themselves " Pethia said. "We need to do a lot of work to improve intrusion detection." Pethia said the rate of the incidents that are reported is increasing at the same rate the Internet is growing and officials are seeing increased damage from system attacks. In addition he said there is little evidence of improved security fixes to IT products that may contain security vulnerabilities. "The bugs continue to be there " he said.

"The vendors are interested in time to market. It's very hard for anyone to go to a vendor and get a comprehensive solution to the security problem. The emphasis on ease of use has not been matched by improvements in ease of security implementation." Civilian agencies are not the only ones targeted.

The Defense Department continues to be targeted by unauthorized users attempting to gather data from military systems said Brian Dunphy an intrusion analyst with DOD's emergency response team. Intruders will launch vulnerability sweeps designed to probe tens of thousands of systems around the world to find several that are vulnerable to unauthorized access he said.