OMB, DHS take various steps to secure networks

WILLIAMSBURG, Va. — Agencies report on average about 30 incidents a day in which an employee has lost personally identifiable information. And despite a constant barrage of memos from the Office of Management and Budget in the past 15 months detailing steps agencies should take to secure personal information, the number of data breaches will continue to rise, federal and private-sector experts say.“Cybercrime is big business,” said Greg Garcia, the Homeland Security Department’s assistant secretary for cybersecurity and communications. “Some estimate that it is a $100 billion industry with botnets, phishing scams, adware and spyware attacks.”Consequently, DHS and OMB are promoting a series of programs to try to close vulnerabilities and minimize the impact of the attacks.Karen Evans, OMB’s administrator for e-government and information technology, said the government’s move to a standard desktop configuration for Microsoft Windows and the requirement of vendors’ products to run on the baseline without changing it will make a huge difference.“We will have one standard configuration for the entire government — one means one,” Evans said at the 17th annual Executive Leadership Conference, sponsored by the Industry Advisory Council. “Every agency needs to have a governance process to test and make changes so applications don’t break.”Evans said vendors must test their software against the virtual standard desktop the National Institute of Standards and Technology is providing.“Agencies will not buy your products if it changes the standard desktop configuration settings,” Evans said. “We believe this will increase the security posture of agencies and they will not have to redo it for each application.”The desktop standard also will help agencies move toward situational awareness where they can do real-time discovery and monitoring.“That is the next area the Security Line of Business will address,” Evans said.She said agencies have until February 2008 to install the standard desktop configuration. After that, OMB will take statistical samples of agencies to see which met the mandate. Evans also said they will ask agency inspectors general to evaluate agency progress.“We will work with the [CIO] Council to put mechanisms in place to look at the statistical sample and see where agencies need help,” she said.Garcia said DHS is also working on tools to help the public and private sectors improve cybersecurity.“Attacks against the government in fiscal 2006 were up to 37,000 up from 24,000 in 2005,” Garcia said. “Some of that was because agencies are reporting more, but it also is because where there are opportunities there is danger.”Garcia said DHS is taking a three-pronged approach to improve cybersecurity: improving training, education and awareness; improving the processes by which systems are secured; and depending on technology to secure networks.“Our strategy must evolve with the threats,” he said. “Most cyber incidents are a result of human error.”DHS issued a draft baseline of IT security skills needed to mitigate cyber attacks. It will accept comments on the framework until Dec. 7.It is also working with the National Security Agency to add 12 academic centers of cyber excellence.Garcia said DHS is planning for the Cyber Storm II exercise in March 2008. It will include nine agencies, 10 states, 45 companies and 10 information-sharing analysis centers.“The exercise will give us an opportunity to understand interdependencies and make us better equipped to work together,” he said. “We found out last time that we had enough resources to respond to one or two major attacks, but if we had multiple attacks on many critical sectors we wouldn’t be in good shape.”As for technology, Garcia said DHS will publish a software assurance acquisition guide by Dec. 31.“The guide will help professionals incorporate security aspects into all parts of the supply chain,” he said. “It gives contract language and best practices. It can be a shining example of how acquisition can help secure systems.”DHS is also developing a self-assessment tool to let entities evaluate their vulnerabilities using federal and international standards.“The tool poses a series of questions to the enterprise administrator so they can use best practices to improve their cybersecurity,” he said.