Experts Paint Grim Picture of Infosec ReadinessTop Officials from DHS, GAO, Pentagon Testify Before Congress
"Sensitive information is routinely stolen from both government and private sector networks," Philip Reitinger, deputy undersecretary for national protection and programs at the Department of Homeland Security, testified to the House Homeland Security Committee. "We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis."
Gregory Wilshusen, Government Accountability Office director of information security issues, concurred that threats to information systems are evolving and growing. "Systems supporting our nation's critical infrastructure and federal systems are not sufficiently protected to consistently thwart the threats," he said.
Army Gen. Keith Alexander, director of the National Security Agency and commander of U.S. Cyber Command, testified at another hearing that the military lacks the people and resources to defend the country adequately from vigorous cyberattacks. "We are finding that we do not have the capacity to do everything we need to accomplish," Alexander told the House Armed Services Committee, as transcribed by the BBC. "To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces. We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger."
At the Homeland Security Committee, a prominent cybersecurity policy analyst said the old ways of battling cyber threats haven't worked.
"Since 1998, we have repeatedly tried a combination of information sharing, market-based approaches, public-private partnership and self-regulation in a vain effort to strengthen our cyber defenses," said James Lewis, senior fellow and director of the Technology and Public Policy Program at Center for Strategic and International Studies (see Time Line of Major Global Cyber Incidents 2010-2011).
"However, despite this dispiriting record of opponent success, I feel confident in predicting that this year, the old, failed formulas will be trotted out again this year," said Lewis, who served as project lead for the Commission on Cybersecurity for the 44th Presidency. "Many of the reports and essays we see emerging now will advocate tired ideas in order to block change rather than increase cybersecurity. While individual government agencies have made strenuous efforts to improve our cyberdefense, as a nation, despite all the talk, we are still not serious about cybersecurity."
Lewis called on lawmakers to review the 44th Presidency Commission's latest report that outlined 10 steps the nation should take to secure key IT systems (see 44th Presidency Commission Issues Update .)
"The most important of these were the need for coherent federal leadership, clear authority to mandate better cybersecurity in critical infrastructure and a foreign policy that used both military and diplomatic tools to bring the rule of law to cyberspace," Lewis said.
Wilshusen, citing an earlier GAO study (GAO: Federal IT Security Still at High Risk), said administration and executive branch agencies must take actions to improve the nation's cybersecurity posture, including implementing the actions recommended by the president's Cyberspace Policy Review and enhancing cyber analysis and warning capabilities. In addition, he said, actions are needed to enhance security over federal systems and information, including fully developing and effectively implementing agency-wide information security programs and implementing open recommendations. "Until these actions are taken," Wilshusen said, "our nation's federal and nonfederal cyber critical infrastructure will remain vulnerable."