The ripple effect

Government Information Security Reform Act

At first blush, the Sept. 11 attacks on the Pentagon and the World Trade Center would seem to have clearly demonstrated that more traditional, low-tech terrorist tactics such as kamikaze planes remain dominant over the much-discussed "cyber Pearl Harbor."

Yet experts say that with increased focus on overall security, agencies are also now re-examining cybersecurity plans, with the expectation that enough money will flow in to carry out many of those plans.

Much like the tide that raises all boats, security experts expect that the increased focus on rigid security measures will include additional attention to information technology security measures, said Ray Bjorklund, a vice president for Federal Sources Inc., a McLean, Va., market research firm. "I think it benefits security overall," he said.

Even those who specialize in cyber.security issues acknowledge that the tragedies at the Pentagon and World Trade Center dwarf anything that terrorists could have done in a cyberattack.

"I've been doing cyber stuff for a long time," said Scott Charney, former head of the Justice Department's Computer Crime and Intellectual Property Section and currently a principal at PricewaterhouseCoopers LLP. "It's hard to envision any type of cyberattack that would have wreaked such havoc on so many cities, on so many buildings, on so many families, on so many lives."

In the immediate future, law enforcement officials who have been working on cybercrime will rightly be called upon to address the more immediate task of finding the terrorists and securing the traditional physical infrastructure, said Alan Paller, director of research for the SANS Institute, a security education and consulting organization.

"That's a natural consequence," Charney said.

The fact that the Sept. 11 strikes used more traditional methods may dilute the focus on critical infrastructure protection, but it will not eclipse it altogether, said Michael Brown, director of the Federal Aviation Administration's Office of Information Systems Security.

Brown and his fellow federal information security administrators are now working to ensure that cybersecurity is not overlooked in the rush to react to the very physical attacks on the World Trade Center towers and the Pentagon.

If anything, the attack on one front is pushing government to make sure all fronts are secured, said Kevin Deeley, acting deputy director for the information management and security staff at Justice. The department has moved quickly to tighten network access and authentication of users, and put in place other measures that until now had been only in the planning stages, he said.

The day after the attacks, members of the Senate Governmental Affairs Committee expressed concern that the focus on physical security meas.ures would overshadow other forms of attack, including biological and cyber.

"While it has never been easy to protect our critical infrastructure from conventional attacks...it is even more difficult to protect against cyberattacks," said Sen. Joe Lieberman (D-Conn.), committee chairman, during a previously scheduled hearing on the security of the information systems that support critical infrastructure sectors such as telecommunications and transportation.

The FAA is a major player in any initiatives taken on both the physical and cyber sides. The General Accounting Office and the FAA inspector general issued multiple reports in 2000 criticizing the agency's information security status. The FAA has moved this year to address the issues, including hiring Brown in April.

The programs and initiatives developed since the reports were issued were to be in place across the next two to three years. Now, "I feel that the process will be greatly accelerated," Brown said.

Already, the FAA Computer Security Incident Response Center, a part-time operation not expected to be running around-the-clock for another nine months, is fully operational, he said. The agency is also pushing to speed a program to test its networks, and to roll out a security-training plan before the end of this month that will go out to all FAA facilities. The office of the FAA chief information officer pays for that training plan.

And the agency is moving forward "aggressively" with an effort started before Sept. 11 to map all of its networks to find potential vulnerabilities through access points and links between networks, Brown said.

"We're really going to go after strong identification and authorization of people in our networks," he said.

The morning of Sept. 11 —in fact, while the attacks were taking place —Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the National Security Council, told a group of federal and industry security experts that the White House was readying an executive order to reorganize federal critical infrastructure protection efforts (see story at right).

Those efforts started under President Clinton in 1998 with Presidential Decision Directive 63, which requires agencies to take steps to protect the nation's critical infrastructure, in an attempt to raise civilian agencies' awareness of their role in national security.

Much of the early work on PDD 63 has focused on the information security aspects of critical infrastructure protection, because that area is less familiar. But it is important to remember in times such as this that the directive addresses both physical and cyber weaknesses, said Roberta Gross, inspector general at NASA, which led the first reviews of federal PDD 63 plans.

In the environment after Sept. 11, there is an even greater need for the promised direction from President Bush, said Sen. Robert Bennett (R-Utah), a longtime proponent of stronger cybersecurity.

"This was an attack on the infrastructure, and it wasn't an attack on the military," Bennett said.

During the past few years, the level of security awareness in the federal government has improved, said Laura Callahan, deputy CIO at the Labor Department and co-chairwoman of the CIO Council's Security, Critical Infrastructure and Privacy Committee. But the proof of true understanding of security threats to the government will be demonstrated only after agencies receive the resources from Congress and from their administrators to follow through on the security programs that get political support right now, she said.

Agencies could find that previously unfunded IT security plans will gain new attention and support, experts said.

Some of that renewed commitment might show when Congress gets reports on agencies' security status from the Office of Management and Budget. Agencies and their inspectors general submitted reports to OMB by Sept. 10 on the security assessments performed under the Government Information Security Reform Act of 2001, and OMB is required to provide a summary of those reports to Congress.

By Oct. 20, agencies also must provide OMB with a report on the strategies, milestones and obstacles involved in addressing any of the weaknesses found in the assessments.

Rep. Stephen Horn (R-Calif.), chairman of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, also plans to release his next round of report cards on agencies' information security status by the end of the month, said Horn's spokeswoman Bonnie Heald.

Horn issued his first security report card in September 2000, giving the government an overall grade of D-minus. Following the attacks, this year's report card probably couldn't come at a better time, Heald said.

"Certainly, this incident will cause people to study how well we did and how we can do better," PricewaterhouseCoopers' Charney said.