GSA waits for FIDNet funding

The General Services Administration last week said it has put on hold the next step in its part of the national plan to protect critical federal information systems from cyberattacks until a $10 million amendment to the agency's fiscal 2000 budget is approved.

The $10 million will provide funding for the continued development of the Federal Intrusion Detection Network (FIDNet) pilot, including a joint program office that will lead the project to the next level. The president is expected to release the amendment to Congress this week.

FIDNet is intended to supply a central office to help agencies respond to attacks on their computer systems by using advanced intrusion-detection technologies and to coordinate a national response to any attacks. Initial work on the pilot is under way, but implementation cannot start without guaranteed resources, said Tom Burke, assistant commissioner for information security at the GSA Federal Technology Service's Office of Information Security.

"Until you get the resources or the wherewithal to move forward, you're in limbo until Congress approves the dollars," he said. "And until that time, you need to do what you can with shared, interagency resources, but there's only so far that can go."

But some feel the extra money is not yet needed because the coordinated attacks that FIDNet is designed to respond to are not a large threat right now.

"It seems to me that it is not warranted for a number of years," said Willis Ware, chairman of the Computer System Security and Privacy Advisory Board (CSSPAB) and a member of the research staff at Rand Corp.

For the small number of true organized malicious attacks on U.S. information systems that is expected occur in the next year, it would be much easier and cheaper for the government to set up points of contact at each agency that can interact when issues arise, Ware said.

The FIDNet pilot will complement education, research and development initiatives under way at several other agencies and organizations as laid out in the National Plan for Information Systems Protection, which is expected to be released by the Critical Information Assurance Office in mid-October.

The plan has been under development for more than a year, and the decisions about which agencies would be responsible for each section were made in March, well after agencies had to get their budget requests to the Office of Management and Budget, Burke said.

"It wasn't even sorted out last year at that time," he said.

Burke laid out the timeline for the FIDNet pilot at a meeting of the CSSPAB last week, including the creation of a joint program office with representatives from the CIAO, OMB, the Justice Department and agencies that will be involved in the pilot, which could include the Energy Department and the Federal Aviation Administration.

"We will try to use them as prototypes and help us understand the [intrusion detection] technology," Burke said.

Several members of the CSSPAB wondered whether GSA would fund all intrusion-detection systems within agencies, but Burke said it is up to each agency to purchase and put in place an internal system that can interact with FIDNet.

The other lead agencies for the national plan, including the Energy, Transportation and Treasury departments, also will be looking for money to fund their portions of the plan, officials said.

The money for GSA will go toward several other areas of the FIDNet pilot, including creating the Federal Intrusion Detection Analysis Center, a group within GSA that will help agencies understand and respond to potential intrusions.

"It will provide the initial analysis and warning capability that we need [for] working with the agencies and departments," Burke said.

Beyond the programming functions, the $10 million will help GSA evaluate and select possible intrusion-detection technology for the pilot.

In June the agency released a request for information to industry for input on how intrusion-detection technology will advance in the next two to three years, looking for technology that will enable agencies to detect and react to previously unrecognizable attacks.

Over the next year, GSA plans to evaluate the information submitted by vendors, release a final solicitation and ideally have solutions selected by the end of 2000, Burke said.