Federal advisory group will grade network vulnerability

A senior governmental advisory group is planning to unveil a system this summer that will grade public and private information networks on their vulnerability to a terrorist attack, a member of the group said Tuesday.

A National Infrastructure Advisory Council working group is "75 percent complete" with the development of the new grading scale, according to John Thompson, the chairman and CEO of Symantec Corp. and one of the leaders of the effort. NIAC officials expect to complete work on the project by July.

The council was created to study the security of information systems and networks for the nation's key national security and economic infrastructures. With the new system, Thompson said, cybersecurity officials will be able to prioritize their efforts and understand the risks they face.

The vulnerability scale will merge 14 different measurements, including the expected risk of an attack and the potential loss of life or property if the information infrastructure is compromised. The grading will be broken down into three classes: base metrics, which are calculated once and never adjusted; temporal metrics, which can change over time as new countermeasures or threats become apparent; and environmental metrics, which are adjusted based on factors that are directly relevant to specific networks. The score from those three classes will be combined to produce a final vulnerability rating.

"You end up with a single score for a particular time in a particular environment," Thompson said. "The purpose of this is to develop a common language so we could say, 'this is a 10, or this is a 5,' and everybody would know what we are talking about."

NIAC members are now seeking more industry input and are planning to test-grade several networks in a dry run. The testing is expected to be complete by June 1, and Thompson wants to have the final system ready by the July NIAC meeting.

The plan drew praise from other NIAC members.

"We definitely need some metrics in this space," said Al Edmonds, a retired Air Force general and a vice president at technology contractor EDS.

During the same NIAC meeting Tuesday, a senior Homeland Security Department official said it was important for national security officials to implement the advice produced by the advisory council.

"We've got to take what we've designed … and make it work," said Frank Libutti, undersecretary for information analysis and infrastructure protection at DHS.