IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads





TESTIMONY         

of

John Pescatore
Vice President and Research Director, Network Security
Gartner Group, Inc.

before a hearing 
of the

Subcommittee on Government Management, 
Information, and Technology

July 26, 2000


Computer Security: 
Cyber Attacks - War without Borders

Thank you for this opportunity to address an issue that is of critical importance to industry, citizens and government organizations across the country and the world. Given how important use of the Internet has become to all of these parties, coordinated efforts to increase the security of business processes and technologies are critical to continued productivity gains and growth in the Internet economy.

Using public networks like the Internet for critical business processes requires greatly increased security rigor, in both processes and technology. Gartner Group estimates that it is three to five times more expensive to secure an application that is exposed to the Internet than the same application running on a closed network, if point solutions and ad hoc processes are used. By using architectural solutions and re-defined processes, the cost of security can be halved. We have long advised our clients that one of the most critical security processes to reengineer for Internet connected systems is Incident Reporting and Response. Business such as Cisco and Intel, which now make the majority of their revenue by selling to businesses over the Internet, are examples of companies who have thoroughly upgraded their processes for security monitoring and reporting.

There are a number of ways the Government can help create more coordinated responses to computer and network security incidents. The first is by assuring that all Government computer systems are secure and well managed. The Government should be a model citizen on the Internet - but it is currently far from it. While it was business as usual during the Year 2000 rollover period for most private industry computer systems, many Government (both civilian and DoD) computer systems were shut down or disconnected from the Internet to avoid security problems. During the recent ILU virus attack, threat information seemed to flow much more slowly through Government reporting mechanisms than in private industry. The US Government needs to step up its efforts to be a leader in operational security not a laggard. This requires increase training of government security personnel and increased coordination between Government agencies.

The Government can also define security standards and use its buying power to make those standards meaningful in the market. While the National Institute of Standards and Technologies has a program (NIAP) to define standard protection profiles for security products and technologies, there has been little effort made to move this process on "Internet time" or to require Government agencies to buy products that have been tested to these profiles. By committing the resources to produce timely, targeted Protection Profiles and using them as the basis for government procurements, the government can be a market maker.

The government can also take heed of lessons learned during Y2K preparations and used mechanisms (such as the National Security Telecommunications Advisory Council) as models for how to spur sharing of security incident information. There is no need to create a new "alphabet soup" of competing Government agencies and task forces to attempt to collect and distribute incident and threat information - there are numerous working mechanisms such as NSTAC which have already proven their merit. The Government can also learn from private industry, where industry groups such as Acord (in the insurance industry), BITS (in the banking industry), the Forum of Incident Response Teams, and best practice groups such as those run by Gartner Group provide rich mechanisms for industry to share security information.

A reporting regulation that was used during the pre-Y2K timeframe could also be used to great effect for on-going security reporting: require public companies to publish information security status information in their quarterly and annual reports. By increasing the importance of security to the boards of directors of corporations, the US Government can drive security to become a part of the bottom line, versus an afterthought. In countries such as Germany, regulations making directors personally liable for security incidents has resulted in greatly increased attention to system-level security solutions.

By any realistic analysis, the increase of business use of the Internet greatly outpaces the rate of successful security attacks - industry is by and large doing a thorough, credible job of protecting their information systems. However, as business increases on the Internet, more sophisticated criminal attacks will follow. By being a model citizen on the Internet, listening to private industry to discover what already works and by avoiding the temptation to force hierarchical solutions on the inherently distributed Internet, the Government can play a leadership role in making the Internet safe for business and government use.

Thank you for your attention.

 


IWS Mailing Lists






Mailing Lists Overview