The wave of distributed denial-of-service attacks that hit U.S. government Websites last week have prompted U.S. Sen. Tom Carper (D-Del.) to renew his call for legislation reforming the way federal agencies defend their sensitive information. Carper, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, introduced a cyber-security reform bill in April.
The attacks began July 4 and crippled such sites as the Treasury Department, Secret Service, Federal Trade Commission and the Transportation Department. Some of the sites were still experiencing problems as late as July 7.
At the same time, sites of 11 South Korean organizations were targeted as well, leading to speculation of a possible coordinated nation-state sponsored attack. According to the South Korean National Intelligence Service, the attacks were apparently conducted by “a certain organization or state.”
While speculation has centered on North Korea as the perpetrator of the attacks, South Korean computer security analysts claim they had pinpointed the attack as an updated version of the Russian MyDoom virus.
“We need to pass this legislation so our federal agencies can stop spending billions of taxpayers’ dollars on wasteful paper compliance and instead invest in real security – the kind of security that prevents these types of attacks against the United States,” Carper said in a July 8 statement. “We know that in most cases, cyber-criminals prey on insecure software and hardware, and my bill will provide incentives for the federal government to use its great purchasing power to demand private companies sell our agencies more secure products.”
The Carper bill (S. 921) would reform the Federal Information Security Management Act of 2002 and empower federal cyber-security officers to focus their efforts on monitoring, detecting and preventing cyber-intrusions. Specifically, the legislation would increase the power of the Department of Homeland Security’s US-CERT to take proactive actions before a cyber-attack penetrates government networks.
“Our nation comes under attack every day by hackers, cyber-criminals and even other countries. Our oversight has shown that, to date, agencies have not done what is necessary to ensure that sensitive information and critical infrastructure is secure,” Carper said at an April hearing. “The technical capability and expertise is available if a terrorist group or country that wanted to do us harm wanted to use it. In fact, it can be easily bought and sold on the Internet.”
During the 2008 presidential campaign, then-candidate Barack Obama compared cyber-security threats with other 21st century national security challenges such as biological and nuclear weapons. He said he would declare the country’s critical infrastructure a national asset and that he would appoint a cyber-adviser who would report directly to him.
On May 29, President Obama issued a Cyberspace Policy review after input from virtually every federal agency and security trade group, promising guidance over mandates. A vaguely defined and still unnamed cyber-czar, though now called a cyber-coordinator, will oversee Obama’s cyber-security plan.
“Because of the critical importance of this work, I will personally select this official,” Obama said of his cyber-security coordinator. “I’ll depend on this official in all matters relating to cyber-security, and this official will have my full support and regular access to me as we confront these challenges. To ensure accountability in federal agencies, cyber-security will be designated as one of my key management priorities. Clear milestones and performances metrics will measure progress.”