From...

by Patrick Thibodeau

WASHINGTON, D.C. (IDG) -- Federal officials say they need a private-sector "buy-in" to protect critical public and private information systems. But these officials also acknowledged at a congressional hearing Wednesday that they must first take care of their own security problems, including an ongoing cyberattack that is originating out of Russia.

Testifying before a U.S Senate Judiciary subcommittee Wednesday, Michael Vatis, a deputy assistant director at the FBI and director of the National Infrastructure Protection Center, offered some details on what may be the leading information security threat in government right now.

Vatis, at a hearing of the subcommittee on Technology, Terrorism and Government Information, confirmed a report that there has been an ongoing attack originating out out of Russia that has been aimed at government networks.

The attacks have gotten "unclassified but still-sensitive information" about defense-related matters, he said.

The investigation, involving a number of federal agencies, has been under way for more than a year and is code-named "Moonlight Maze," Newsweek magazine reported recently.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Computerworld's home page
White House plan targets cybercrime
Federal gov't plans massive hack-detection system
Opinion: Hacker lessons
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Computerworld Minute
	Fusion audio primers

The hearing was called to look at information-security efforts in the public and private sectors. With so much of the nation's critical infrastructure in private hands, a "National Plan" to improve the federal government's information security, due to be released in the next several weeks, will also call for improvements in computer security at private companies.

Vatis, testifying on the government's plan to improve information security, said private systems "have significant vulnerabilities" to attacks from hackers, foreign nations, criminals and others.

"But we shouldn't act as though the private sector doesn't have its act together and the government does," said Vatis. "There are also significant vulnerabilities in government."

The plan, which is being prepared by the Critical Infrastructure Assurance Office (CIAO), a U.S. agency that is coordinating federal information-security planning, won't call for any new laws or regulations that would force companies to take specific actions to strengthen computer networks.

Instead, it will seek the "buy-in" of private companies largely through educational and outreach efforts. Federal security planners are also hoping that auditors and insurance companies will make information security a key part a company's risk assessment, effectively forcing laggards to make the necessary security improvements, said one federal official involved in this effort.

Peter Browne, a senior vice president at First Union Corp., said government's approach of seeking cooperation over regulations will be more effective than a new government bureaucracy to enforce the regulations. The best practices for improving security at private companies are readily available, but the key is to "hold people accountable for implementing those standards."

And one of the best vehicles for ensuring that a company is following best security practices is to have a company's board of directors, usually through an audit committee, question company officials about security, Browne said.

The Judiciary hearing was prompted, in part, by disclosure in August of a plan by the Clinton administration to create a massive Federal Intrusion Detection Network called FIDNET (see "White House plan targets cybercrime," link below). Privacy groups are warning that FIDNET will intrude into private communications.

"FIDNET won't monitor any private network or e-mail traffic or confer new authority on any government agency, and will be fully consistent with privacy law and practice -- right?" asked Subcommittee Chairman Sen. John Kyl (R-Ariz.).

"Right," responded John S. Tritak, the director of CIAO, who said the intent of FIDNET will involve only civilian government agencies and offer a centralized capability for analyzing unusual activity. When criminal intent is found, law-enforcement agencies will be contacted, he said.

The National Plan will ask for $8.4 million in initial funding for the intrusion plan, along with $17 million to provide scholarships to college students for information-technology training. In accepting the money, the student would have to commit to working for the federal government for a certain period of time. Funding will also be used to retrain existing federal workers.