Former presidential cyber-security advisor Richard Clarke warned lawmakers Tuesday that there is no top-level Administration official dedicated full-time to the safety of the nations information infrastructure. Clarke and other IT experts cautioned that the newly created Department of Homeland Security is not yet prepared to handle the challenges, and they called on Congress to act soon to force network operators to take greater security measures.
Clarke, who resigned from the government in February, made the remarks at a hearing of the House technology and information subcommittee. The federal government needs a chief information security officer with the authority over all agencies, Clarke said, adding that the Office of Management and Budgets efforts to fill this role to date have fallen short.
Protecting information security falls under DHSs broad mandate, but witnesses at the hearing cautioned that cyberspace is being overshadowed by physical infrastructure, which is also within the new departments expansive purview. Rather than remaining a top priority, cyber-security is being buried under wider infrastructure protection initiatives, they said.
"In some respects we have regressed in recent months in our ability to deal with these issues," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College in Hannover, N.H., adding that there is a "serious void" in IT security leadership within the executive branch.
Vatis told lawmakers that many critical positions at DHS remain vacant. The FBIs National Infrastructure Protection Center was supposed to contribute more than 300 positions to the new department, but most of the people in those positions found other jobs at the FBI, leaving a gap in expertise at DHS, Vatis said.
Mark Forman, associate director for information technology at OMB, defended the Administrations approach to cyber-security. He said that the network security performance of federal agencies improved over the last year. Also, Forman said, the process of organizing DHS is still in the early stages.
Subcommittee chairman Adam Putnam, R-Fla., told eWEEK that legislative action is needed this year. A bill has not yet been drafted, he said, but members of the subcommittee are considering several recommendations by IT experts, including Securities and Exchange Commission requirements that companies report on security plans.
Clarke urged lawmakers to mandate tighter safety controls on federal networks. He said that GAO should install vulnerability scanning sensors in all federal agencies networks so that Congress could receive weekly or monthly reports of vulnerabilities. Additionally, all federal employees should have to use "common access cards" along the lines of those used by the Department of Defense.
Clarke also urged the subcommittee to develop a program to secure commonly owned Internet standards, including Border Gateway Protocol and Domain Name System, which he said are extremely vulnerable.
Rep. William Clay, D-Miss., the committees ranking Democrat, said that homeland security and critical infrastructure protection are being used to erode open government, and urged policy-makers to pursue security measures that do not depend on secrecy.
"What is tragic is that this renewed emphasis on secrecy is unnecessary," Clay said.
Latest Security News: