|
TESTIMONY
of
John
Pescatore
Vice President and Research Director,
Network Security
Gartner Group, Inc.
before
a hearing
of the
Subcommittee on Government
Management,
Information, and Technology
July 26, 2000
Computer Security:
Cyber Attacks - War without Borders
Thank you for this opportunity to
address an issue that is of critical importance to industry, citizens
and government organizations across the country and the world. Given how
important use of the Internet has become to all of these parties, coordinated
efforts to increase the security of business processes and technologies
are critical to continued productivity gains and growth in the Internet
economy.
Using public networks like the Internet
for critical business processes requires greatly increased security rigor,
in both processes and technology. Gartner Group estimates that it is three
to five times more expensive to secure an application that is exposed
to the Internet than the same application running on a closed network,
if point solutions and ad hoc processes are used. By using architectural
solutions and re-defined processes, the cost of security can be halved.
We have long advised our clients that one of the most critical security
processes to reengineer for Internet connected systems is Incident Reporting
and Response. Business such as Cisco and Intel, which now make the majority
of their revenue by selling to businesses over the Internet, are examples
of companies who have thoroughly upgraded their processes for security
monitoring and reporting.
There are a number of ways the Government
can help create more coordinated responses to computer and network security
incidents. The first is by assuring that all Government computer systems
are secure and well managed. The Government should be a model citizen
on the Internet - but it is currently far from it. While it was business
as usual during the Year 2000 rollover period for most private industry
computer systems, many Government (both civilian and DoD) computer systems
were shut down or disconnected from the Internet to avoid security problems.
During the recent ILU virus attack, threat information seemed to flow
much more slowly through Government reporting mechanisms than in private
industry. The US Government needs to step up its efforts to be a leader
in operational security not a laggard. This requires increase training
of government security personnel and increased coordination between Government
agencies.
The Government can also define security
standards and use its buying power to make those standards meaningful
in the market. While the National Institute of Standards and Technologies
has a program (NIAP) to define standard protection profiles for security
products and technologies, there has been little effort made to move this
process on "Internet time" or to require Government agencies
to buy products that have been tested to these profiles. By committing
the resources to produce timely, targeted Protection Profiles and using
them as the basis for government procurements, the government can be a
market maker.
The government can also take heed
of lessons learned during Y2K preparations and used mechanisms (such as
the National Security Telecommunications Advisory Council) as models for
how to spur sharing of security incident information. There is no need
to create a new "alphabet soup" of competing Government agencies
and task forces to attempt to collect and distribute incident and threat
information - there are numerous working mechanisms such as NSTAC which
have already proven their merit. The Government can also learn from private
industry, where industry groups such as Acord (in the insurance industry),
BITS (in the banking industry), the Forum of Incident Response Teams,
and best practice groups such as those run by Gartner Group provide rich
mechanisms for industry to share security information.
A reporting regulation that was
used during the pre-Y2K timeframe could also be used to great effect for
on-going security reporting: require public companies to publish information
security status information in their quarterly and annual reports. By
increasing the importance of security to the boards of directors of corporations,
the US Government can drive security to become a part of the bottom line,
versus an afterthought. In countries such as Germany, regulations making
directors personally liable for security incidents has resulted in greatly
increased attention to system-level security solutions.
By any realistic analysis, the increase
of business use of the Internet greatly outpaces the rate of successful
security attacks - industry is by and large doing a thorough, credible
job of protecting their information systems. However, as business increases
on the Internet, more sophisticated criminal attacks will follow. By being
a model citizen on the Internet, listening to private industry to discover
what already works and by avoiding the temptation to force hierarchical
solutions on the inherently distributed Internet, the Government can play
a leadership role in making the Internet safe for business and government
use.
Thank you for your attention.
|
