The report found that the government has made progress in cementingindustry-government partnerships around critical technologies, securingDepartment of Defense networks, and forming at least one educationinitiative for training security personnel. But it noted that there isstill no way to locate and fix vulnerable critical systems and no means oftracking the progress of the various departments' pursuits of cybersecurity.
"Achievements to date are notable, but there is still work to do," statedthe report, released a week ago by the Critical Infrastructure AssuranceOffice (CIAO).
On May 22, 1998, President Clinton signed Presidential Decision Directive63, a rallying cry for the United States government to work with industryto secure the country's critical computer systems from cyberattack. Thedirective called for a national plan to protect such systems and periodicreports of the progress made in securing the U.S. infrastructure.
The 209-page interim report--requested by Congress as part of a defenseappropriations bill passed last October--laid out, agency by agency, wherethe United States stands. While the National Plan released a year ago seemsto be on track, most agencies are still in the information gathering stage.
In fact, in a survey released last September, the General Accounting Officefound that the vast majority of federal systems remained vulnerable to attack.
The CIAO report agreed. "More of the American economy has become dependenton IT systems," it stated. "Those who have the skills and tools to disruptour networks and systems have also increased, in numbers and incapabilities. Malicious individuals, criminal groups and nation statespresent significant threats to U.S. information systems."
CIAO hopes to solve the major lack of information through a new initiativedubbed Project Matrix. The project aims to identify key systems in thegovernment and identify how they could be attacked and what would happen inthe event of such an attack.
The project has so far red-flagged more than 4,000 physical and cyber"assets" that will need to be protected among the 14 governmentagencies--plus the military and intelligence communities--that have takenpart in the project to date. Fifty of the unnamed assets have been bumpedto the top of the critical list and given a green light for furtheranalysis because of their importance.
Not all agencies have taken part in the program, however. Both theSecurities and Exchange Commission and the Environmental Protection Agencyhave only started to work with the Matrix analysis teams, while both theDepartment of the Interior and Department of Transportation have remainedaloof, according to the report.
That makes the next three years a critical period, as networks become moreintegrated and the threats more serious.
"While ongoing efforts continue to increase security on the nation'scurrent (information) systems, government and industry must insure thatsecurity is designed into next-generation networks," the CIAO report stated.
"Economic growth, better government service and efficiency, and a strongerdefense are all possible in the years ahead if we continue to give a highpriority to securing cyberspace."