U.S. cybersecurity due for FEMA-like calamity?

(continued from previous page)

assert they have a role in cybersecurity, it's about a dozen. Whenever you have 12 committees in charge, that means no one's in charge."

The Sept. 11 switch
The most likely reason for the federal government's lack of focus on cybersecurity is straightforward: the attacks of Sept. 11, 2001.

While Internet and computer security may not have been a top priority before the attacks, the topic did draw a smattering of attention from the White House. In February 2000, President Clinton convened a meeting on cybersecurity with technology executives. He returned to the topic in a speech to the Coast Guard Academy a few months later, cautioning that "critical systems like power structures, nuclear plants, air traffic control, computer networks, they're all connected and run by computers."

Then Sept. 11 shifted the Bush administration's attention from hypothetical threats of Internet saboteurs to military action, al-Qaida and the invasion of Iraq.

"Cybersecurity clearly fell off the radar screen when they set up the department, and the department is trying to find its way," said Kurtz, president of the Cyber Security Industry Alliance, which counts as members companies such as Symantec, McAfee, RSA Security, PGP and Computer Associates.

Even before Sept. 11, however, the federal government's cybersecurity efforts were being described as slipshod. In a blistering 108-page report released in early 2001, government auditors said the FBI's National Infrastructure Protection Center had become a bureaucratic backwater that was surprisingly ineffective in pursuing malicious hackers or devising a plan to shield the Internet from attacks.

"DHS has an appropriately large focus on weapons of mass destruction but an inappropriately small focus on critical infrastructure protection, and particularly on cybersecurity."

--Ed Lazowska, computer science professor, University of Washington

When Congress created Homeland Security two years later, the FBI's NIPC was unceremoniously mashed together with the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, an Energy Department analysis center and the Federal Computer Incident Response Center.

The results have been mixed. A May 2005 report by the Government Accountability Office warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the U.S. intelligence community and others." Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any," the GAO said.

Other analyses have said the agency is plagued by incompatible computer systems, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies.

The department has argued that it has not been idle. Last year, it created the National Cyber Alert System, billed as a public-private, nationally coordinated method of dispensing information about Internet threats and vulnerabilities. Other plans include a staged cyberattack exercise scheduled for November.

"Placing responsibility for cybersecurity within the Department of Homeland Security was a necessary move because it recognized how integrated cybersecurity is with other physical security, and to remove it from the department would hurt security in both," said Homeland Security's Whitworth.

"An inappropriately small focus"
But the right tools and funding have to be in place, too, said Ed Lazowska, a computer science professor at the University of Washington. He co-chaired the president's Information Technology Advisory Committee, which published a report in February that was critical of federal cybersecurity efforts.

"DHS has an appropriately large focus on weapons of mass destruction but an inappropriately small focus on critical infrastructure protection, and particularly on cybersecurity," Lazowska said in an e-mail interview.

The department is currently spending roughly $17 million of its $1.3 billion science-and-technology budget on cybersecurity, he said. His committee report calls for a $90 million increase in National Science Foundation funding for cybersecurity research and development.

Until then, Lazowska said, "the nation is applying Band-Aids, rather than developing the inherently more secure information technology that our nation requires."

[wbenton]

Don't care for the slant of this article!

EMA handles emergencies locally first, makes reports and estimates of required logistics and then calls for FEMA help if/when required including the logistics required (over and above that which they have locally).

Gathering all pertinent information related to the collateral damage and making estimates of the amount and type(s) of logistics required alone took more than a day due to the wide destruction in that area.

And getting together the sheer amount of logistics required takes at least another day or two at best.

Nagin on the other hand had over 250 school busses and all of the city busses to his avail but didn't use them.

Thus let's not drag FEMA in when FEMA isn't to be blamed. EMA is first response... FEMA is called in later. But both usually respond AFTER the damage has been caused.

The city and state are responsible for planning evacuations of that scale and if they are unable to handle it... they can request for FEMA support, but that request must be received prior to FEMA being able to step on the states toes. That's how state regulations were created and how they still work.

So as for why FEMA didn't respond earlier... who made the call to request assistance. Nagin didn't, Blanco didn't...

As for CyberSecurity heading for a FEMA like catastrophe... Now that the first part of this article has been de-bunked... what similar catastrophe is that?

There are numerous threats which continue to cause worries about our internet. But here too... it's not the CyberSecurity team which DHS heads that will thwart the problem as much as it is each individual ISP's acceptance and implementation of the effective methods to thwart off such attacks.

But with so many concious objectors and lack of support from ISP's... they're gonna be the future Nagin and Blanco runner-ups if they don't get their cyber-threat-ears out there and start taking more responsibility where the first line of responsibility should be taken.

SPAM is one very good example. SPAM continues to be sent out with spoofed addresses even though that was declared illegal over 1.5 years ago. ISP's are the first line of defense. But many today still don't do anything to stop it. Blocking outgoing port 25 would go a long way to reduce a good amount of SPAM, but they do nothing about it.

Just like Nagin and Blanco... so don't go trying to pin the tail on the elephant in the white house when it belongs on the local donkey!

Walt

[Rusdude]

Are you serious?

1) While it's obvious that both state and local governments were ill-prepared, FEMA has made woeful blunders. Even if you get your news from Fox News Channel, it should still be obvious.

2) What type of attacks? Well, how about taking down DNS servers? That'd take down the whole Internet. Not to mention attacks on supposedly closed-off infrastructure networks (something like the most recent season of "24").

[Stating]

$100 million For Ice, No Bid Contracts

Sure 'Noggin and Blink-o were unprepared to handle Katrina, but FEMA was a mess too. FEMA spent $100 on ice alone for Katrina, most of which never got to its destination. Truckers were hired to drive it all over the country, any place BUT New Orleans and Mississippi. After playing who's on first with the ice, because FEMA lacked a useable computerized inventory tracking system, it was finally put into cold storage at various warehouses across the country.

There's also the issue of numerous FEMA no-bid contracts. Yes, that again! So don't try to put all the blame on the local party hacks, FEMA created its own disaster. The point of this story is that DHS Cybersecurity is another FEMA waiting to happen. Will we all be surprised when it happens, when Congress calls for yet another blue- ribbon committee after the fact? When the Schummer-Feinstein-Boxer-Sharpton-Jackson hacks swoop down and again try to make it a purely Republican issue? Well at least CNET readers won't be surprised.

[wbenton]

Don't care for the slant of this article!

EMA handles emergencies locally first, makes reports and estimates of required logistics and then calls for FEMA help if/when required including the logistics required (over and above that which they have locally).

Gathering all pertinent information related to the collateral damage and making estimates of the amount and type(s) of logistics required alone took more than a day due to the wide destruction in that area.

And getting together the sheer amount of logistics required takes at least another day or two at best.

Nagin on the other hand had over 250 school busses and all of the city busses to his avail but didn't use them.

Thus let's not drag FEMA in when FEMA isn't to be blamed. EMA is first response... FEMA is called in later. But both usually respond AFTER the damage has been caused.

The city and state are responsible for planning evacuations of that scale and if they are unable to handle it... they can request for FEMA support, but that request must be received prior to FEMA being able to step on the states toes. That's how state regulations were created and how they still work.

So as for why FEMA didn't respond earlier... who made the call to request assistance. Nagin didn't, Blanco didn't...

As for CyberSecurity heading for a FEMA like catastrophe... Now that the first part of this article has been de-bunked... what similar catastrophe is that?

There are numerous threats which continue to cause worries about our internet. But here too... it's not the CyberSecurity team which DHS heads that will thwart the problem as much as it is each individual ISP's acceptance and implementation of the effective methods to thwart off such attacks.

But with so many concious objectors and lack of support from ISP's... they're gonna be the future Nagin and Blanco runner-ups if they don't get their cyber-threat-ears out there and start taking more responsibility where the first line of responsibility should be taken.

SPAM is one very good example. SPAM continues to be sent out with spoofed addresses even though that was declared illegal over 1.5 years ago. ISP's are the first line of defense. But many today still don't do anything to stop it. Blocking outgoing port 25 would go a long way to reduce a good amount of SPAM, but they do nothing about it.

Just like Nagin and Blanco... so don't go trying to pin the tail on the elephant in the white house when it belongs on the local donkey!

Walt

[Rusdude]

Are you serious?

1) While it's obvious that both state and local governments were ill-prepared, FEMA has made woeful blunders. Even if you get your news from Fox News Channel, it should still be obvious.

2) What type of attacks? Well, how about taking down DNS servers? That'd take down the whole Internet. Not to mention attacks on supposedly closed-off infrastructure networks (something like the most recent season of "24").

[Stating]

$100 million For Ice, No Bid Contracts

Sure 'Noggin and Blink-o were unprepared to handle Katrina, but FEMA was a mess too. FEMA spent $100 on ice alone for Katrina, most of which never got to its destination. Truckers were hired to drive it all over the country, any place BUT New Orleans and Mississippi. After playing who's on first with the ice, because FEMA lacked a useable computerized inventory tracking system, it was finally put into cold storage at various warehouses across the country.

There's also the issue of numerous FEMA no-bid contracts. Yes, that again! So don't try to put all the blame on the local party hacks, FEMA created its own disaster. The point of this story is that DHS Cybersecurity is another FEMA waiting to happen. Will we all be surprised when it happens, when Congress calls for yet another blue- ribbon committee after the fact? When the Schummer-Feinstein-Boxer-Sharpton-Jackson hacks swoop down and again try to make it a purely Republican issue? Well at least CNET readers won't be surprised.

This is a joke

Losing access to google, email, and the ATM for several hours is not the same as losing your home to wind and flooding. Cybersecurity have been warning about a digital pearl harbor for years, mostly as a tactic for the government to throw more R&D dollars their way.

[Rusdude]

Ignorant

There's an unlimited number of scenarios that would have devastating effect. Losing Internet communications might not be a big deal to you, but it would be for businesses like finance industry. Today's markets are dependent on principle of continuity (in a sense that after market closes today, it'll be open tomorrow). Losing connectivity even for a day wouldn't cause $200 billion in damages (although it'd still be billions in lost revenue/profits) but it'd be much more of a shock in terms of market confidence.

This is a joke

Losing access to google, email, and the ATM for several hours is not the same as losing your home to wind and flooding. Cybersecurity have been warning about a digital pearl harbor for years, mostly as a tactic for the government to throw more R&D dollars their way.

[Rusdude]

Ignorant

There's an unlimited number of scenarios that would have devastating effect. Losing Internet communications might not be a big deal to you, but it would be for businesses like finance industry. Today's markets are dependent on principle of continuity (in a sense that after market closes today, it'll be open tomorrow). Losing connectivity even for a day wouldn't cause $200 billion in damages (although it'd still be billions in lost revenue/profits) but it'd be much more of a shock in terms of market confidence.

I agree, who cares right now?

more diversion from rove/delay

I agree, who cares right now?

more diversion from rove/delay

[Lolo Gecko]

gosh, this is really swell ...

:)

[Lolo Gecko]

gosh, this is really swell ...

:)

[M C]

Maybe if Cnet could make its made-up news funny...

...I wouldn't feel like it was three minutes of my life I'll never get back.

[M C]

Maybe if Cnet could make its made-up news funny...

...I wouldn't feel like it was three minutes of my life I'll never get back.

[Lolo Gecko]

... and were it not for the ozone layer ...

the sky would also be falling :)

[Lolo Gecko]

... and were it not for the ozone layer ...

the sky would also be falling :)

[Catgic]

Dreaming the Impossible DHS Dream

Tom Ridge, James Loy, Asa Hutchinson, Frank Libutti, Robert Liscouski, C. Suzanne Mencer, Patrick Hughes, Stewart Verdery, Sue Mencer&and more, leaving like so many rats scurrying from a sinking Department of Homeland Security ship. Will the last one leaving please turn-off the DHS computer?

Getting a mega-bureaucracy like DHS and its Cybersecurity organization to meet their national cybersecurity responsibilities by throwing more and new bureaucrats at the multiple holes left in the Org. Chart, works counter to circumventing a future FEMA-like Cyber-Calamity.

The departure in January 2005 of Liscouski, a non-techie career Intel cop, was no great loss. He was bureaucratic Nero who both fiddled and oversaw the musical chairs in the Office of the Cybersecurity Czar as knowledgeable Cybersecurity Czar techies like Clarke, Schmidt, Yoran came, got frustrated and left.

Top bureaucrat Liscouski pretended he was facilitating and aiding these Cybersecurity Czars in performing and conducting important cybersecurity and physical-infrastructure protection technical work while he apparently was only overseeing, implementing and pursuing a policy of benign Cyber-neglect. Then, in January 2005, when faced with having to work for the new, incoming DHS Chief, lawyer Michael Chertoff, he cut and ran out with the exiting crowd.

These sweeping leadership and staff changes in DHSs structure in 2005 only served to further delay creation and delivery of an implementable National Plan for Critical Cybersecurity Infrastructure and the smart Cybersecurity solutions to go with it.

Jim Lewis of CSIS said, "It's been a mess for over four years, and hopefully the new folks will fix this." Sad to say that Jim Lewis is dreaming the impossible dream if he thinks throwing a new crop of bureaucrats at the National Cybersecurity problem will fix it. JP B-)

[n3td3v]

Could DHS organize a pee-up

Could DHS organize a pee-up in a brewery? Its great for us europeans to see U.S struggling on the smaller things in life. Pitty you guys only know how to drop bombs and kill thousands upon thousands of innocent women and kids in Iraq from 40,000ft up in the air. Pitty your armed forces are completely useless on the ground. Kinda reminds me of Katrina really. If it don't involve fighter jets, then U.S are ill-prepared for anything.

[Catgic]

Dreaming the Impossible DHS Dream

Tom Ridge, James Loy, Asa Hutchinson, Frank Libutti, Robert Liscouski, C. Suzanne Mencer, Patrick Hughes, Stewart Verdery, Sue Mencer&and more, leaving like so many rats scurrying from a sinking Department of Homeland Security ship. Will the last one leaving please turn-off the DHS computer?

Getting a mega-bureaucracy like DHS and its Cybersecurity organization to meet their national cybersecurity responsibilities by throwing more and new bureaucrats at the multiple holes left in the Org. Chart, works counter to circumventing a future FEMA-like Cyber-Calamity.

The departure in January 2005 of Liscouski, a non-techie career Intel cop, was no great loss. He was bureaucratic Nero who both fiddled and oversaw the musical chairs in the Office of the Cybersecurity Czar as knowledgeable Cybersecurity Czar techies like Clarke, Schmidt, Yoran came, got frustrated and left.

Top bureaucrat Liscouski pretended he was facilitating and aiding these Cybersecurity Czars in performing and conducting important cybersecurity and physical-infrastructure protection technical work while he apparently was only overseeing, implementing and pursuing a policy of benign Cyber-neglect. Then, in January 2005, when faced with having to work for the new, incoming DHS Chief, lawyer Michael Chertoff, he cut and ran out with the exiting crowd.

These sweeping leadership and staff changes in DHSs structure in 2005 only served to further delay creation and delivery of an implementable National Plan for Critical Cybersecurity Infrastructure and the smart Cybersecurity solutions to go with it.

Jim Lewis of CSIS said, "It's been a mess for over four years, and hopefully the new folks will fix this." Sad to say that Jim Lewis is dreaming the impossible dream if he thinks throwing a new crop of bureaucrats at the National Cybersecurity problem will fix it. JP B-)

[n3td3v]

Could DHS organize a pee-up

Could DHS organize a pee-up in a brewery? Its great for us europeans to see U.S struggling on the smaller things in life. Pitty you guys only know how to drop bombs and kill thousands upon thousands of innocent women and kids in Iraq from 40,000ft up in the air. Pitty your armed forces are completely useless on the ground. Kinda reminds me of Katrina really. If it don't involve fighter jets, then U.S are ill-prepared for anything.