Homeland Security: Cybersecurity is everyone's responsibility

Department official says agencies need their own computer security processes for protection in addition to the national initiative.

Agencies should not rely solely on the national cybersecurity initiative to protect their computer systems from attack, a top Homeland Security Department official said on Thursday.

Comment on this article in The Forum.Each agency must develop good internal cybersecurity processes that focus on more than network perimeter protection, said Mischel Kwon, director of the Homeland Security Department's U.S. Computer Emergency Readiness Team during a panel discussion in Washington at the Security 2008 conference sponsored by 1105 Government Information Group.

In many ways, civilian agencies have a bigger challenge than the Defense Department in locking down networks because their IT environments are far more decentralized, the department's cyber response official said.

"The federal civil space is different than Defense, [which] relies on these huge [wide-area networks]," said Kwon. The Navy Marine Corps Intranet, for example, consolidated more than 6,000 individually operated networks into one network, which currently supports 700,000 users. "That allows them to do things centrally and work from a core, while civil agencies have a conglomeration of smaller networks. Doing security in that kind of environment is very different," she said.

The Office of Management Budget's Trusted Internet Connections Initiative aims to address that issue by requiring agencies to reduce network connections to fewer than 100 in 2009. The overarching 2008 Comprehensive National CyberSecurity Initiative promised to protect federal networks through governmentwide efforts, but agencies still need to improve their own internal processes.

"We are systems with no boundaries," Kwon said. "The [attack is] no longer to the external firewall; it's an attack that goes in via my e-mail and out by the Web, or in and out by surfing… . If anyone thinks antivirus is your solution, you are hallucinating. This needs to be defense in depth."

Kwon emphasized the importance of life-cycle management in the establishment of sound information security processes, noting that almost every penetration of federal networks takes advantage of some known vulnerability that went unfixed. Build security in from the start, she said, so it can be maintained more easily over the long term through best practices, such as proper patching of systems, securing configurations, and monitoring network traffic to ensure malicious attacks are detected and defenses put in place.

At the same time, appropriate access controls are crucial, Kwon said. Individuals with administrator rights to systems should not be able to use those accounts for remote access or to e-mail or browse, for example.

"The solution is not to tell people not to click on [a certain file], because you'll never win that war," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md. "It's to isolate sensitive information by enforcing administrator privileges."