National Defense Logo tagline Search Tips

SUBSCRIBE NOW!
Current Issue
Archives
Change of Address

 NDM

Article

September 2003

Security Beat

by Geoff S. Fein

Report Blasts U.S. Homeland Security Program
The Bush administration has earned a grade of “D” for its “surprisingly lax and inadequate” efforts to protect America, according to the Washington, D.C.-based Progressive Policy Institute. A 27-page report, released in July, concluded the president “has given homeland security more lip service than action.”

While the administration has destroyed al Qaeda cells in Afghanistan and removed the Taliban from power, “building up America’s domestic defenses” has been a different story, the report states.

“... The Bush administration has been oddly lethargic in fortifying our defenses at home,” the report says. “... It consistently dragged its feet.”

The study gave the president failing grades for integrating terrorist watch lists, improving identification systems, completing a national threat assessment and for lessons learned from previous attacks.

“While integrating terrorist watch lists is not technologically difficult, the administration has failed to do so despite congressional funding for the task,” the report said.

The administration did get passing marks for nuclear power plant security (“A”), passenger security (“B-”), baggage security (“C+”), and securing nuclear plants and materials (“C+”).

“The Nuclear Regulatory Commission, in reaction to the Sept. 11 attacks, quickly issued heightened security regulations for all nuclear power plants,” the report said. “Overall, the nuclear power industry has spent nearly $400 million on additional security since the attacks.”

Corporate Spending on Security Lagging
A report from The Conference Board, in Washington, D.C., states that “corporate America’s overall spending on security in response to terrorism has increased only modestly.”

The study, co-sponsored by ASIS International, said the median increase for security spending since Sept. 11, 2001 is just 4 percent.

Median security spending is up about 9 percent in New York, Boston and other key cities in the Northeast, the report said, but has risen less than 3 percent in other parts of the country.

“A 4 percent median increase in security spending seems counter-intuitively small in light of our concerns about terror,” said Daniel H. Kropp, president of ASIS International, a firm that represents security professionals.

Only 7 percent of the businesses interviewed for the study, increased their security spending by at least 50 percent. Industries most likely to step up spending are in transportation, energy, utilities, financial services, media, telecommunications, information technology and healthcare, according to the report.

“While nobody knows how much security spending is enough, there are legitimate concerns about corporate vulnerability,” said Tom Cavanagh, a security expert at The Conference Board, a non-partisan, not-for-profit research organization.

About 24 percent of the companies surveyed had a chief security officer, the study found. “Few apparently are interested in creating this relatively new position,” the report said.

Most companies, in fact, employ less than 50 people to oversee security needs. However, many companies do turn to private security consultants to augment their own staffs, the report stated.

Tight budgets and widespread cost cutting also affected security spending, Cavanagh said.

“There are only two sources of funds to expand security spending—corporate money or government funds and incentives,” he said. “Business leaders are reluctant to spend more on security, when they don’t see it contributing directly to their bottom line.”

Federal Government Falls Short in Cybersecurity
More than 90 percent of all successful attacks on Defense Department computer systems are based on vulnerabilities that already are known, said a top National Security Agency official.

“A system left un-patched soon becomes a target, like an unlocked sports car with the keys in the ignition,” said Daniel Wolf, director of information assurance at the National Security Agency.

Eliminating computer system vulnerabilities also should be a high priority, but the government is a long way from achieving that goal, he said.

Speaking before the House Select Committee on Homeland Security’s Subcommittee on Cybersecurity, Science and Research and Development, Wolf said that improving the way software is written would eliminate vulnerabilities. Computer operating systems also must have the ability to defend themselves from attack, he said.

An automated patch management system would keep government computers continually updated with the latest protection, he added.

The NSA is working on a $3 billion program called Cryptographic Modernization that would allow a computer system to modify itself on-the-fly, said Wolf.

Research also is needed to “build cybersecurity systems that can continue to operate even while under attack,” he said.

The Defense Advanced Research Projects Agency is looking at these kinds of systems, said Wolf.

“I believe that the highest payoff for optimizing cybersecurity is the creation of an interoperable authentication system deployed widely throughout the federal, national security, first responder and critical infrastructure community,” he said.

It would be similar to a system the NSA and the Defense Information Systems Agency built for the Department of Defense, Wolf said.

With this system in place, the Department of Homeland Security would be able to know who is accessing information or uploading reports, he said.

“It is also important to note here that most critical infrastructures, like a [public key infrastructure system], should be built using U.S. technology,” said Wolf. “I have concerns with foreign software of unknown trust and quality being integrated into critical U.S. systems.”

Another measure for cybersecurity the government needs to initiate includes effective protection to safeguard cyber borders, said Wolf. That means having systems with firewalls that create a barrier between the government’s protected network and the Internet, and encrypted tunnels that protect information as it moves between secure networks. The government also should install a cyber intrusion detection system to monitor the flow of information and to detect suspicious activity.

“The technology alone [never will] be good enough to protect us because, ultimately, getting cybersecurity right is more about what you do than what you buy,” said Wolf.

Private Sector Could Help DHS Invest Better
The Department of Homeland Security should look to the private sector as an example of how best to invest and manage its funds, said W. Scott Gould, chief executive officer of The O’Gara Company.

Speaking before the House Select Committee on Homeland Security’s Subcommittee on Infrastructure and Border Protection, Gould said homeland security is strengthened “when its limited resources are managed in a coordinated fashion.”

The O’Gara Company is a government, corporate and international homeland security consulting firm.

“The private sector regularly uses portfolio investment techniques to manage financial, technical and human resource allocation decisions,” he said. “I believe we should do so in homeland security, as well. The public sector is familiar with these tools.”

Allocating resources in relation to the threats the nation faces may be the most “vexing issue for the homeland security leadership in the administration today,” Gould said.

“Should we focus our limited resources on preventing and detecting attacks or responding to the consequences of attacks? Which means should we use to prevent particular types of attacks? How many layers of security do we need to protect against any particular scenario?” he said.

The O’Gara Company developed a framework to assist policy makers to think through the issues, said Gould. The system would allow the DHS to weigh the costs and benefits of various investments in security.

For example, Gould said checking a traveler’s identification a second time at departure gates may be inexpensive, but the benefits are small. Investment in explosive detection systems for checked baggage is significant, but “the benefit of plugging this gap is correspondingly large and worthwhile,” he said.

However, Investment in other projects, such as the federal air marshals, are questionable, Gould said.

“... Given the fact that the reinforcement of cockpit doors and likelihood of increased passenger vigilance already have created significant new layers of security in the cockpit and passenger cabin,” said Gould.

A project also could become less attractive if it is redundant, said Gould.

“In the absence of reinforced cockpit doors and increased passenger vigilance, an increase in federal air marshals would be a wise investment,” he said. “But in tandem with these other low-cost investments, it seems to deliver a low level of marginal security benefit at a high cost.”

Lt. Gen. Kellogg to Lead Oracle Corp.’s Homeland Security Efforts
Retired Lt. Gen. Keith Kellogg used to believe there were different approaches to dealing with technology security in the public and private sector.

His views now have changed. “You can’t separate the two; both are related,” he said.

Kellogg was the director of command, control, communications and computers at the Joint Chiefs of Staff. He currently is senior vice president of homeland security for software giant Oracle Corp.

While some businesses may delay or avoid implementing security because of the cost, Kellogg said companies cannot afford to not have adequate security.

“The price you pay for not having [security] transcends any monetary costs,” he said. “There are a lot of people out there who believe their systems are secure, [but] they are not.”

He added that companies have to understand the seriousness of the threat.

“The terrorist organizations out there are ‘A’ teams,” he said. “We need to protect information [and protect privacy] from the bad guys.”

Boeing to Test Cargo Security System
The Boeing Company was awarded a $4.2 million contract to demonstrate a cargo container security system for Operation Safe Commerce — a Department of Homeland Security initiative aimed at protecting U.S. ports.

The 10-month test will take place at the Port of Los Angeles. Boeing is currently doing preparatory work and trials are expected to begin this month.

“Our solution provides for the secure and efficient movement of containerized goods on a global scale — from the manufacturer to a port of entry and on to retailers,” said Rick Stephens, vice president and general manager of Boeing Homeland Security and Services.

According to Boeing, its system integrates real-time, in-transit container information with existing and future networks and databases.

“Our solution can confirm that [a cargo container] has not been tampered with along the way,” said Fernando Vivanco, Boeing communications director. “Part of the tracking is knowing when the cargo left, that it [has] not been opened, and verify [the cargo] all along the way.”

Boeing is teaming up with ADT Security Services Inc., Global Marine Security Systems Company, Iridium Satellite LLC, and Parsons Commercial Technology group, to take advantage of commercially available technologies, Vivanco said.

Congress approved $58 million in funding, in 2002, for the Department of Homeland Security to improve protection of international and domestic cargo through pilot projects involving the three largest container load centers in the country.

Operation Safe Commerce will examine new techniques for increasing security of container shipments. Demonstrations began this summer at the ports of New York/New Jersey and Tacoma/Seattle. Along with the Port of Los Angeles/Long Beach, the three ports will work with private and public entities to identify supply chain weaknesses and develop technologies to secure cargo.

Back To Top