White House urged to make cybersecurity a priority
"We need a national policy to secure cyberspace," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. A presidential directive would address command and control issues by establishing roles and responsibilities related to a catastrophic event, he told the two committee members who were present, Reps. Todd Akin, R-Mo., and Jim Cooper, D-Tenn.
The role of the Defense Department in a national incident when it does not involve its own assets is unclear, and the department pays little attention to the private sector, he said.
Among the deficiencies outlined by the witnesses include: inadequate funding for cybersecurity research, a shortage of cybersecurity experts, the military's reliance on commercial software and hardware that are prone to attacks, and insufficient coordination of research with the private sector.
It is a great concern that the Defense Department is dependent upon the privately owned infrastructure and the use off-the-shelf software to defend security operations, said Kurtz. A threat to a military network and a threat in the private sector are not mutually exclusive.
"Simply locking down Department of Defense's systems is not enough" to protect it, he said. It "must expand its warning systems against key actions against the private sector."
For example, an attack on the nation's telecommunications infrastructure or electric power grid, which is carried over civilian links, would affect military operations.
"These systems are interconnected, and we need to protect all of them," said Eugene Spafford, a professor and executive director of the Purdue University Center for Education and Research in Information Assurance. He also served on the now-defunct President's Information Technology Advisory Council.
Another problem with commercial software is the common solution of fixing security gap exposures with "patches," or quick fixes, Spafford said.
Instead, David Grawrock, principal engineer and security architect at Intel, suggested an ongoing federal product review process instead of the static certification process used today. The result would be a more resilient infrastructure, he said.
The military's use of commercial products for sensitive matters is also a concern. In today's global environment, support services often are located outside of the United States, Spafford said.
On the labor front, "The number of professionals in the field seems to be shrinking and not expanding," said Grawrock.
Purdue's cybersecurity program graduates 20 percent of the post-doctoral cybersecurity experts in the country, and that translates to 15 individuals, Spafford said.
"The need for certified professionals is growing," Grawrock noted.
Funding for cybersecurity is insufficient, witnesses testified. Of the Homeland Security Department's $70 billion fiscal 2005 funding, 1 percent was assigned to cybersecurity, according to a study by presidential science advisers.
Because no one knows when or where a catastrophic cyber attack will hit, "we need to develop a holistic view," Spafford said.