The need to establish a comprehensive plan within which to address the vulnerabilities of our National Information Infrastructure (NII) is paramount. Whether through a White House-led Task Force or some similar mechanism, the interdisciplinary nature of this threat requires a government-wide response that also addresses the exposure of the private sector.
The U.S. must formulate national policy to promote the security of its information infrastructure.
Presently, agencies are greatly limited by pre-existing missions and jurisdictional assignments. Unfortunately, the threat ignores national boundaries and often remains a mystery until it is fully investigated. Based upon the multidimensional nature of the threat posed to our information infrastructure, there exists a need to establish a freestanding entity that can conduct operational responses to computer attacks, and task different agencies within our government.
The Staff recommends the creation of a National Information Infrastructure Threat Center that will include representatives from the law enforcement, intelligence and the Defense communities, as well as liaison with the private sector. This center should have "real time" 24 hour operational capabilities as well as serve as a clearinghouse for intrusion reports.
No intelligence, counter-intelligence or law enforcement agency has yet produced an NII threat assessment. More importantly, the intelligence community is having difficulty collecting the data necessary to even prepare such an estimate. Collection of data must become a high priority within the intelligence community.
The Staff recommends that the Director of Central Intelligence complete an NII threat estimate. The estimate should have an unclassified version that can be made available to private industry.
The uneven response in the international community to the threat posed to information infrastructures has created difficulties enforcing anti-intrusion legislation. Only a handful of countries presently have meaningful computer crime investigative capability, and the absence of uniformity has given would-be attackers refuge from detection or prosecution.
The Staff recommends that the U.S. promote the creation of an international computer crime bureau with emergency response capability. This Bureau may be assigned to Interpol and would provide education and awareness training to foreign law enforcement agencies in order to promote the creation of dedicated computer crime units or similar capability as well as uniform investigative and computer forensic practices. This Bureau would also have operational response, like a CERT, in support of computer crime incidents. The Bureau would also collect data on vulnerabilities and disseminate countermeasures as well as serve as an international clearinghouse for intrusion incidents.
Our government must foster a security culture that appreciates the vulnerabilities of our National Information Infrastructure (NII). We need to maintain a better pool of security professionals and, generally, improve the security consciousness of our users and our managers. There are several specialties in the computer career field for government employees including computer operators, computer technicians, computer programmers and computer analysts. There is no specialty in the computer career fields for network administrators, computer security personnel, nor in the criminal investigative career field for computer crime investigators.
In order to ensure that computer security positions are filled with personnel that possess the requisite experience and training the Staff recommends the
creation of a Government Computer Security Specialist Career Field that will include potential for career progression and incorporate specialized computer security training.
In order to promote a stable pool of information security managers within the U.S. government, the Staff recommends the creation of a Government Computer Systems Administrator Career Field that will include potential for career progression and incorporate specialized computer security training.
In order to promote and improve our government's computer crime investigative potential, the Staff recommends the creation of a Government Computer Crime Investigators Career Field that will incorporate the potential for career progression and specialized computer crime investigation training.
Vulnerability testing and assessment of government and government interest computer systems is the best method of enhancing awareness of the vulnerabilities of our information infrastructure. Presently, only the Defense Department has an aggressive vulnerability program.
The Staff recommends that the federal government promote regular vulnerability assessments, or "red teaming," of government agencies, especially agencies outside of the Department of Defense. The Staff further recommends that an agency be designated to perform such vulnerability assessments in the same manner that the Defense Information Systems Agency (DISA) perform such assessments for the armed services.
One of the most significant voids in computer security is the lack of reporting of attempted and even successful penetrations of government systems as well as other systems of national interest. Mandating the reporting of intrusions in government systems will foster a greater security culture with the NII. Further, it is important to give private industry a mechanism within which it can report intrusions without fear of inciting customer insecurity.
The Staff recommends that the U.S. government mandate the reporting of intrusions and attempted intrusions in all government and government interest systems. The Staff further recommends that federal agencies develop protocols and procedures for reporting computer intrusions, and subsequent referral of same to proper criminal or other appropriate agencieslike the proposed National Information Infrastructure Threat Center.
The Staff further recommends that the federal government encourage private industry and the private sector to report intrusions into private information systems. The Staff would further recommend that the government promote private industry reporting through creation of anonymous clearinghouses or similar methods.
Logon warning banners that advise users of government computers that there is no expectation of privacy, though recommended by the Department of Justice, are not mandatory on government computer networks. The logon banners put users on notice that they have no reasonable expectation of privacy on government systems and the use of the system constitutes consent to monitoring. Presently, when intrusions occur on government systems, lack of such a logon banner hampers investigative efforts and response.
The Staff recommends logon warning banners become mandatory for all government and government interest systems. (See Appendix D for example of logon banner.)