Senate Delay Muddles Security Reporting | eWeek

Senate Delay Muddles Security Reporting

Écrit par
Dennis Fisher
Dennis Fisher
Oct 7, 2002
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

As the bill authorizing the proposed Department of Homeland Security languishes in the Senate, government officials are discussing the possibility of informally consolidating federal information security agencies, according to sources familiar with the plan.

The effort would take the place, at least temporarily, of more formal consolidation spelled out in the Homeland Security proposal, sources said. Specifically, the new plan calls for the FBIs National Infrastructure Protection Center, the Federal Computer Incident Response Center and other organizations to begin meeting on a regular basis, weekly perhaps, and share duties and results from their operations, they said.

The move comes amid growing concern among security experts that delays in the passing of the bill are hampering sorely needed efforts to improve vulnerability reporting and response.

“I think if [the delay] lasts more than four or five weeks, [the informal consolidation] will happen and probably without any government edict,” said Alan Paller, director of research at The SANS Institute, in Bethesda, Md.

Security experts say the fact that the government is even discussing such an idea outside the Homeland Security bill is indicative of how much things have changed in Washington.

“The government after [Sept. 11, 2001] realized that their methods for gathering intelligence and sifting it wasnt working,” said Kevin Nixon, senior director of business strategy on the staff of the chief security officer at Exodus, a subsidiary of Cable & Wireless plc., based in London. “They need to use nonconventional methods. It shows theyre using breakthrough thinking.”

Government officials, particularly Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, have said they want security researchers to report new vulnerabilities directly to the government and no one else, except the affected vendors. But the rats nest of federal security groups and their fuzzy areas of responsibility make such reporting difficult.

Whats needed, researchers say, is a single point of contact within the government for vulnerability reporting.

“Theres so much overlap with all of them, you never know who to deal with,” said Dan Ingevaldson, team lead on the X-Force research and development team at Internet Security Systems Inc., in Atlanta. “Its pretty obvious theres a need [for consolidation of the governments personnel].”

In the meantime, however, government officials are urging researchers to take care with their discoveries.

“It is irresponsible when you find a vulnerability to tell everyone in the world about it. It is the height of irresponsibility,” Clarke said this week. “Tell the right people and keep it secret until a patch can be distributed.”

The administration—and much of Congress—had hoped to enact the Department of Homeland Security bill by Sept. 11. In July, the House of Representatives approved a bill supporting the administrations vision for the department, but the legislation is stymied in the Senate, where a partisan debate over the collective bargaining rights of department employees has prevented a vote.

The Senate had planned to adjourn by the middle of this month in light of next months election, but efforts to bring the Department of Homeland Security measure to a vote may keep the chamber in session longer and may bring lawmakers back to Washington after the election. At this point, the issue appears sufficiently bogged down to preclude a vote before the 107th Congress comes to a close. If that happens, debate could begin from scratch when the new Congress convenes in January.

As proposed, the Information Analysis and Infrastructure Protection section of the Department of Homeland Security would subsume a portion of the NIPC, FedCIRC, the Critical Infrastructure Assurance Office at the Department of Commerce, the National Communications System at the Department of Defense, and the Department of Energys National Infrastructure Simulation and Analysis Center, as well as taking some personnel from the Secret Service. Currently, these groups operate autonomously, with little information shared among them.

Additional reporting by Caron Carlson

Related Stories:

  • Smaller Firms Demand More From Bush Plan
  • Feds Delay Release of Cyber-Security Plan
  • Commentary: Cyber Plan Delay Invites Much-Needed Public Comment
  • Special Report: Bushs Cyber-Security Plan
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.