Paul Henry, a security and forensic analyst with Lumension, contends that the government's approach to information security is inherently flawed by a dependence on outmoded technologies.
"For example, nearly every security requirement from the government has a line item for antivirus, but antivirus is effectively obsolete," he claimed. "If we are going to have guidance, that guidance needs to address more contemporary technologies such as application control and white listing. Firewalls are another example. The bad guys recognize that all they need to do is run their malicious applications over a port other than the one that is being blocked with a port-centric firewall. The requirements need to be in line with the current technologies. Those products are out there, but the government requirements fall behind the times."
Meanwhile, Andrew Jaquith, chief technology officer for Perimeter E-Security, indicates that the danger level requires immediate attention.
"I think we saw the last round of cybersecurity bills fall victim to partisan wrangling in the Senate," he said. "These bills tend to start off in the right place, they have good intentions, but they get watered down in the important places when the special interests try to replace meaningful aspects with stuff that doesn't matter. There's a lot of noise about having to certify security professionals, for example. But certification does not guarantee anything."
The keys include the ability to measure outcomes, which is often difficult in circumstances where security means that an event failed to occur, said Jaquith. More collaboration also needs to exist between the government and the private sector. "We need to have better sharing without necessarily feeling that you can be sued for disclosing a vulnerability, or sharing information eventually deemed sensitive. So there needs to be some sort of a shield in place in order to get that level of cooperation," said Jaquith.
Most experts agree that an attack upon critical national infrastructure is more than likely to happen.
"Our role in Stuxnet opens up Pandora's box," summarized Henry. "We've basically said that a cyberattack is equivalent to an act of war and could be met with any military response from the United States. But it's pretty clear that the United States was behind the Stuxnet attack against Iran, and people in glass houses probably should not throw stones. Any third world country with a grudge against the United States and an Internet connection has now learned that it is acceptable to promote your political viewpoint by launching a cyberattack. We did it. Why shouldn't they?"
PUBLISHED SEPT. 13, 2012