Agencies urged to report cyberattacks

FedCIRC

As federal agencies work to improve their information security programs, the central organization for incident warnings and analyses recently announced a series of tools that will be available this year to help them do so.

The Federal Computer Incident Response Center (FedCIRC) is enhancing its resources to decrease the government's vulnerability to cyberattacks, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. FedCIRC is now in its second year of appropriated funding through GSA.

FedCIRC initiatives range from a system designed to overcome difficulties in tracking and implementing security patches to a proposed guide on how to report incidents to the center. Most security incidents could be prevented if agencies had easy access to and applied patches for known vulnerabilities, said Larry Hale, the center's liaison director.

If FedCIRC received a steady stream of reports from agencies across government, its staff would also be able to spot governmentwide patterns when incidents start and could help agencies address more serious cyberattacks before they become problems, Hale added.

A tool being developed by the CERT Coordination Center at Carnegie Mellon University to address that complex problem would automatically analyze agencies' incident information and feed that analysis to FedCIRC for a government.wide view. FedCIRC officials are already talking with agencies about participating in a pilot project by year's end, with the hope of having the tool operational in 2003, McDonald said.

Tools that make a security manager's job easier will always be welcomed, said Alan Paller, research director for the SANS Institute, a security education and consulting organization.

"These are substantial timesavers for the agencies, and whenever FedCIRC does something that is a substantial timesaver, they are going to get a lot of support," he said.

FedCIRC's focus on automating the security process is important, especially when it comes to reporting incidents, because "when you're up to your neck in trying to solve a computer attack, the fact that you didn't report it isn't your biggest problem," Paller said.

The FedCIRC initiatives are only part of the larger effort to secure the government's information networks. President Bush's new Critical Infrastructure Protection Board, chaired by Cyberspace Security Adviser Richard Clarke and made up of top officials from every agency, has brought attention to information security issues at the highest levels, and that awareness can only help the work being done at agencies, McDonald said.

"I am feeling very hopeful [about] the work that you'll see out of the board in the next year," she said.

Within the Bush administration, officials are trying to make it clear to agencies that FedCIRC cannot be effective unless agencies have good security meas.ures in place.

"FedCIRC can't help us unless they get information" from agencies on a regular basis, said Glenn Schlarman, a senior security policy analyst at the Office of Management and Budget.

OMB's recent review of agencies' security self-assessments showed that agencies are still behind in establishing standard procedures for reporting incidents to FedCIRC, even though the reports are required under policy and legislation, Schlarman said.

It is a good first sign, Hale said, that more agencies are developing their own incident response centers and security programs, and taking advantage of the commercial products and services available through vehicles such as the GSA Safeguard security contract.

***

Fedcirc's 2002 work

Federal Computer Incident Response Center initiatives in 2002 include:

* Patch dissemination system. The request for proposals closes this month for a system to help agency security managers filter the continuous flow of commercial software patches so that they receive only those applicable to their agencies' networks.

* Data analysis capability. Carnegie Mellon University's CERT Coordination Center is developing a tool that will automatically analyze incident information from agencies' security applications, then feed that data to FedCIRC for a cross-agency view.

* Security collaboration system. FedCIRC will soon release an RFP for a Web-based collaboration system where authorized security managers and system administrators can share information and expertise on sensitive, but unclassified, issues.

* Reporting guidelines. Detailed guidelines for agencies, developed with the Office of Management and Budget and other experts, will explain how to report information to FedCIRC on a regular basis. Officials expect to release them by year's end.