As the bill authorizing the proposed Department of Homeland Security languishes in the Senate, government officials are discussing the possibility of informally consolidating federal information security agencies, according to sources familiar with the plan.
The effort would take the place, at least temporarily, of more formal consolidation spelled out in the Homeland Security proposal, sources said. Specifically, the new plan calls for the FBIs National Infrastructure Protection Center, the Federal Computer Incident Response Center and other organizations to begin meeting on a regular basis, weekly perhaps, and share duties and results from their operations, they said.
The move comes amid growing concern among security experts that delays in the passing of the bill are hampering sorely needed efforts to improve vulnerability reporting and response.
“I think if [the delay] lasts more than four or five weeks, [the informal consolidation] will happen and probably without any government edict,” said Alan Paller, director of research at The SANS Institute, in Bethesda, Md.
Security experts say the fact that the government is even discussing such an idea outside the Homeland Security bill is indicative of how much things have changed in Washington.
“The government after [Sept. 11, 2001] realized that their methods for gathering intelligence and sifting it wasnt working,” said Kevin Nixon, senior director of business strategy on the staff of the chief security officer at Exodus, a subsidiary of Cable & Wireless plc., based in London. “They need to use nonconventional methods. It shows theyre using breakthrough thinking.”
Government officials, particularly Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, have said they want security researchers to report new vulnerabilities directly to the government and no one else, except the affected vendors. But the rats nest of federal security groups and their fuzzy areas of responsibility make such reporting difficult.
Whats needed, researchers say, is a single point of contact within the government for vulnerability reporting.
“Theres so much overlap with all of them, you never know who to deal with,” said Dan Ingevaldson, team lead on the X-Force research and development team at Internet Security Systems Inc., in Atlanta. “Its pretty obvious theres a need [for consolidation of the governments personnel].”
In the meantime, however, government officials are urging researchers to take care with their discoveries.
“It is irresponsible when you find a vulnerability to tell everyone in the world about it. It is the height of irresponsibility,” Clarke said this week. “Tell the right people and keep it secret until a patch can be distributed.”
The administration—and much of Congress—had hoped to enact the Department of Homeland Security bill by Sept. 11. In July, the House of Representatives approved a bill supporting the administrations vision for the department, but the legislation is stymied in the Senate, where a partisan debate over the collective bargaining rights of department employees has prevented a vote.
The Senate had planned to adjourn by the middle of this month in light of next months election, but efforts to bring the Department of Homeland Security measure to a vote may keep the chamber in session longer and may bring lawmakers back to Washington after the election. At this point, the issue appears sufficiently bogged down to preclude a vote before the 107th Congress comes to a close. If that happens, debate could begin from scratch when the new Congress convenes in January.
As proposed, the Information Analysis and Infrastructure Protection section of the Department of Homeland Security would subsume a portion of the NIPC, FedCIRC, the Critical Infrastructure Assurance Office at the Department of Commerce, the National Communications System at the Department of Defense, and the Department of Energys National Infrastructure Simulation and Analysis Center, as well as taking some personnel from the Secret Service. Currently, these groups operate autonomously, with little information shared among them.
Additional reporting by Caron Carlson
- Smaller Firms Demand More From Bush Plan
- Feds Delay Release of Cyber-Security Plan
- Commentary: Cyber Plan Delay Invites Much-Needed Public Comment
- Special Report: Bushs Cyber-Security Plan