The United States is more dependent on the Internet than other nations, Alan Paller, Director of Research at The SANS Institute, told the Senate Committee on Homeland Security and Governmental Affairs.
During a hearing on June 15 to discuss the Protecting Cyberspace as a National Asset Act of 2010, Paller told members of the Committee, “our cyber defense must be near perfect. It is not even close.”
The nation’s critical infrastructure and intellectual property is under attack, Paller said. The United States is losing huge quantities of intellectual property to other nations, who use it to further their research.
“The defense industrial base is the most valuable and fertile target for nations that want to steal military technology data rather than fund their own technology research,” he said. “Additionally, an epidemic of intellectual property cyber theft is plaguing companies and their law firms and their consultants, especially those doing business with Asian nations.”
The issue of cyber crime is also particularly prevalent, with U.S. government websites being infected and used for cyber crime. Additionally, cyber crime is another avenue used by terrorists to raise badly needed funds, according to Paller.
“The government and critical infrastructure organizations are terrible vulnerable because … they unknowingly purchase and deploy computer software and hardware that have design flaws and software bugs,” he said. “Those vulnerabilities enable cyber spying and cyber crime.”
The current FISMA structure is partially to blame, according to Paller. FISMA is largely seen as being a compliance driven process given to the production of “useless” reports rather than verifying the security of the systems. Paller, in part, blames this problem on the lack of practical experience among the standards developers.
“They don’t know how the attacks work so they cannot know how to prioritize their guidance,” he said.
The newly proposed legislation would help to rectify some of the problems inherent in FISMA, Paller said.
“The legislation undoes the central error of FISMA by removing the requirement that FISMA guidance documents are mandatory,” he said. “Senate Bill S. 4480 also presses agencies to stop spending money on out-of-date reports and instead focus their spending on continuous monitoring and risk reduction.”
Paller also praised the bill for its language on supply chain management, regulatory frameworks and the section on manpower.
“Your procurement and supply chain language is both important and innovative,” he said.
Supply chain security is vital to stop code from being embedded on hardware or software before it is delivered. Paller encouraged the authors to add a section that required testing of newly manufactured technology prior to delivery.
“The regulatory framework and the emergency measures you establish for the critical infrastructure is long overdue,” he said. “One caveat. The structure might not be as effective as it needs to be. Some of the language will lead to long delays in implementing effective defenses.”
Finally, the manpower section of the bill is important in looking to build a skilled cyber workforce, Paller said.
“The manpower section will help DHS build its cyber employee base and help grow the workforce, but it needs one critical change,” he said. “It calls for training of people with specialized security skills, but has no mechanism to assure the training was effective.”
Instead, Paller advocated that the authors add a validation requirement to validate the cyber skills of employees and contractors.