"IT security is really a question of accountability," said Daryl White, the Interior Department's chief information officer, during a conference sponsored by the National High Performance Computing and Communications Council. "You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable."
Cyber security also is a matter of common sense, according to Sallie McDonald, an assistant commissioner with the General Services Administration's Federal Technology Service.
"We are trying to set up a culture of security in federal civilian agencies," said McDonald, who oversees the Federal Computer Incident Response Center (FedCIRC), which helps agencies prevent and respond to cyber attacks, and serves as a central office for reporting such incidents.
McDonald cited statistics indicating that the number of cyber-security incidents in the United States has doubled annually. Carnegie Mellon University's CERT Coordination Center had nearly 53,000 reports of incidents from public and private sector entities last year, compared with less than 22,000 in 2000, and less than 10,000 in 1999.
Officials said that preventing such attacks requires federal agencies to make information security an integral part of their infrastructures, and they must demand that vendors make it an integral part of their software.
"A discriminating factor in sales will be whether a product has [security] built in," said Sandra Bates, commissioner of the GSA's Federal Technology Service. "When you buy a car, the steering wheel and the brakes come with it. They're not built separately, and they don't cost extra. Security needs to be like that."
McDonald said federal agencies also must find ways to share sensitive information about system vulnerabilities that they do not want the general public--or potential hackers--to know about. FedCIRC is developing a "secure collaboration" capability that would enable agencies to discuss those matters in a near real-time environment, through secure chat rooms and other online forums.
FedCIRC also is working to develop a "patch authentication" capability that would help federal agencies determine which software patches would be the most useful for fixing specific vulnerabilities in their systems. "Systems administrators are inundated with information about patches," McDonald said. "They don't know which ones to apply, and how."
Lee Holcomb, chief information officer for the National Aeronautics and Space Administration, said patch authentication is a high-priority issue for NASA. "We don't have a good way of getting patches out," Holcomb said. "When you have thousands of Web-enabled computers, getting those patches out is a big problem."
Although the Internet has made their critical infrastructures more vulnerable to cyber attacks, Holcomb and other federal technology officials said their agencies could not reduce their reliance on the Internet. "Our strategy is to become even more dependent on the Internet," Holcomb said, noting that Web-based capabilities are crucial to NASA's ability to communicate with employees, contractors and the public. "If anything, we're using the Internet more aggressively."