Feds get D+ on 2005 cybersecurity

National Agenda for Information Security in 2006

The federal government earned a barely passing grade in enacting meaningful improvements in cybersecurity during the past year, an industry group announced today.

The Cyber Security Industry Alliance (CSIA) released its report card evaluating the federal government’s progress on 12 recommendations.

Congress and the Bush administration received one B, four Cs, six Ds and an F – a 1.4 average on a 4.0 scale, or a D+.

“Cybersecurity research is in a crisis,” said Paul Kurtz, CSIA’s executive director. “Information sharing is largely at a standstill. There continues to be a lack of priorities.”

“It’s kind of old that we haven’t been making as much progress for as many years as we’ve been working on this,” said James Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Lewis moderated a panel discussion of CSIA board members who commented on the report card.

The report cards contain some good news: The Homeland Security Department earned credit for creating an assistant secretary for cybersecurity position, even though experts raised concerns that six months later DHS has not filled that post.

The Senate is also close to a vote on ratifying the Council of Europe’s Convention on Cyber-crime.

CSIA announced its National Agenda for Information Security in 2006, which includes 13 proposals to improve cybersecurity in the coming year.

The public’s confidence in cybersecurity is perilously low, the report states. As proof, CSIA also introduced its Digital Confidence Index, which tracks consumer confidence in measures taken to protect digital infrastructure. The first rating is 58 out of 100, which “represents less than a passing grade for those who have an interest in making our networks safe, such as the federal government and technology companies,” a CSIA statement said.

The new rating supports a recent survey that found that 48 percent of the U.S. public doesn’t feel safe doing online commerce, Lewis said.

“Assume 48 percent of consumers were afraid to go to the mall,” said Steven Solomon, chief executive officer at Citadel Security Software. “What would Congress do to protect them then?”

Congress must look at the public’s and industry’s concern about data breaches and identity theft, said Philip Dunkelberger, CEO at PGP. Lawmakers should pass a comprehensive law that defines “breach” and “notification” and reinforces cybersecurity best practices, he said. Congress should also pass an anti-spyware law, he said.

The government should fund research to assess the cost of cyberattacks on the economy, Kurtz said. The Justice and Homeland Security departments are initiating a new survey in January 2006 that asks the private sector about the cost of cyberattacks, he said.

Other federal agencies should join DHS in creating incentives and educating the public about the dangers of cyberattacks, Lewis said.

Homeland Security Presidential Directive 12, which requires federal employees and contractors to have secure credentials to access federal facilities and computer systems, is well-written but is a toothless tiger because it does not provide funds for implementation, said John McNulty, chairman and CEO of Secure Computing.

The federal government should provide more money because improved authentication of users’ identities will improve information sharing, McNulty said.