Cyber weaknesses take the national spotlight

USA Patriot Act - Section 1016 - Critical Infrastructure Protection

The basis of a good security plan is determining the vulnerabilities and risks that must be addressed, and for the first time, the federal government has decided to find those vulnerabilities on a national level.

The top priorities for the Critical Infrastructure Protection Board are to identify the critical systems, identify the vulnerabilities to those systems and establish plans to protect them, said Paul Kurtz, director of critical infrastructure under the new Cyberspace Security Adviser Richard Clarke. Kurtz was speaking Nov. 16 at the New Reality of E-Security conference, sponsored by the National Science Foundation's Digital Government Program.

President Bush created the board through an executive order that revised a directive the Clinton administration put in place in 1998. The board oversees the cybersecurity side of critical infrastructure protection.

One of the elements that will help the board accomplish its mission is a new requirement by the Office of Management and Budget that the largest agencies use an assessment tool called Project Matrix. The tool adheres to the steps outlined by Kurtz, identifying an agency's critical assets and the systems that support them, which forms the basis for prioritizing resources within each agency.

During the Clinton administration, the Critical Infrastructure Assurance Office created Project Matrix. The administration encouraged agencies to use the tool, but never required it.

As part of its new requirement for agencies to use Project Matrix, OMB will identify several cross-government activities and lines of business for reviews, said Mark Forman, OMB's associate director for information technology and e-government, at a Nov. 9 hearing.

"In this way, we will have identified both vertically and horizontally the critical operations and assets of the government and their relationships beyond government," Forman said at the hearing on federal agencies' security, which was held by Rep. Stephen Horn (R-Calif.).

The CIAO, a small interagency organization, is already working with nine agencies on Project Matrix assessments. Several federal security experts expressed concern that the CIAO does not have the resources to perform assessments for every agency, but the office will likely get additional personnel to help out, according to government officials.

OMB is also working with consulting firms, including Booz Allen Hamilton, to identify other assessment tools, Forman told Federal Computer Week.

In addition, OMB asked the CIAO to create a new methodology, based on Project Matrix, to identify and prioritize assets that are not among the most critical, said John Tritak, director of the CIAO. Besides helping to create a protection plan, the reviews will help OMB and agencies provide funding justification to Congress during the budget process, Tritak said.

Project Matrix "is a very important program that we strongly support," and it is a priority for the board to figure out how to help agencies get more use out of it, Kurtz said.

A larger assessment tool — the National Infrastructure Simulation and Analysis Center (NISAC) — is just getting started. The Critical Infrastructures Protection Act, part of the newly passed USA Patriot Act of 2001, authorizes the creation of the center under the Defense Threat Reduction Agency (DTRA).

NISAC already exists, as a partnership between DTRA and the Los Alamos, Sandia and Lawrence Livermore national laboratories. In the past, the center has focused on nuclear and telecommunications infrastructures. The new act — first sponsored by Sen. Pete Domenici (R-N.M.) in September before the terrorist attacks — expands NISAC's mission to provide modeling, simulation and analysis of the vulnerabilities and possible protections for all critical infrastructures, including the cyber infrastructure.

"The more we understand, the better we can protect against such disruptions," Domenici said in a statement when the bill passed. "This proposal would harness the unparalleled supercomputing capabilities of our national laboratories to give local, state and national planners detailed information about critical infrastructures so that they can respond to any potential crisis."

The act authorizes $20 million for DTRA, and Domenici and Rep. Heather Wilson (R-N.M.) have both said they will push to get that money included in the fiscal 2002 Defense appropriations.

All of these assessments "are the basic building block from which you build your cybersecurity," Kurtz said.

***

Taking note

The tools that agencies can use to help assess the vulnerabilities in their interdependent networks include:

* Project Matrix. Developed by the Critical Infrastructure Assurance Office, Project Matrix is an assessment and prioritization tool for agencies.

* National Infrastructure Simulation and Analysis Center. Authorized in October as part of the USA Patriot Act of 2001. NISAC will provide modeling, simulation and analysis of the interdependencies and vulnerabilities in the nation's critical infrastructure — including cyber, telecommunications and physical infrastructures.