Agencies pit education vs. cyberattack

White paper on PDD-63

The Transportation Department and other agencies still have a lot of educating to do to ensure that the nation's critical infrastructure is secured against cyberattack, federal officials say.

DOT will start a full-scale information assurance awareness program now that it has completed a study of the vulnerabilities of the transportation industry, said deputy secretary Mortimer Downey, speaking at the Transportation Research Board's 80th annual meeting Monday.

This program will go beyond just getting a better awareness of the interdependencies between DOT systems, Downey said. "We need to move ahead to get a full understanding of the supporting systems," he said.

The need for such a program stems from Presidential Decision Directive 63, issued by President Clinton in May 1998, requiring agencies to protect the information systems that support the nation's critical infrastructure.

Governmentwide, the next step involves learning new ways to coordinate PDD-63 activities between agencies and devising a system of accountability and responsibility, said Jeffrey Hunker, senior director for critical infrastructure at the National Security Council.

Because there is no single point authority for these efforts, "there is still ambiguity, infighting and lack of clarity when it comes to this issue," Hunker said.

As technology moves forward, one of the biggest education pushes will have to be on the part of research groups working on technologies such as wireless devices, optical networks and the next-generation Internet, Hunker said. While these groups are still trying to understand the technical and market implications of these new technologies, there is the risk of much larger security concerns for users, he said.

In the meantime, agencies will work to make sure the new Congress also understands the security issues federal officials face, Downey said.

The resources provided in the fiscal 2001 budget are still not enough, he said, but officials will be working with Congress to increase the amount of money designated for information security and critical infrastructure protection in the fiscal 2002 budget proposal that will come out next month.