Analysis & Commentary:

SENATE COMMITTEE LOOKS INTO IT VULNERABILITIES

As reported by Patrick Thibodeau, not wasting any time, the U.S. Senate Governmental Affairs Committee held a hearing on a key question in the wake of the attacks in New York and Washington: whether computer networks that run vital services are vulnerable to terrorism.

The answer from two government witnesses is that government systems suffer from poor security, rely on buggy, commercial off-the-shelf software that creates risks and don't get security incident data from private sector companies that could help the government improve cyberprotection.

"The private sector, for good reasons, does not always want to share information related to threats, what the risks may be, what kind of incidents that may have occurred in the past," said Joel Willemssen, who manages IT issues for the congressional watchdog agency, the General Accounting Office.

Private-sector security data "can give us a sense of where we stand strategically and where our risks are at," said Willemssen.

Willemssen and other government officials involved in critical infrastructure issues have voiced such concerns before. But they received renewed attention after the September 11 attacks.

The State, said Committee Chairman Joseph Lieberman (D-Conn.), has entered a "new era" in protecting national security, one that includes improving the nation's capability to protect critical systems from sophisticated cyberattacks.

The hearing on critical infrastructure had been scheduled prior to the September 11 attacks.

"Today, our hearts and minds are naturally focused on yesterday's tragedy, but it is important that the Senate continue with America's business, particularly as it affects America's security," said Lieberman. "Our enemies will increasingly strike this mighty nation at places where they believe we are not only dependent but unguarded. That is surely true of cyberspace infrastructure today."

U.S. officials have been working to organize critical industrial and service sectors to develop information-sharing arrangements with each other as well as with the National Infrastructure Protection Center. But participation has been limited, in part, by concerns that sensitive corporate data might be publicly released.

Sen. Robert Bennett (R-Utah), has introduced a bill -- a similar one has been introduced in the House -- that would offer protection to corporate data shared with the government. That bill "would be a great motivator to enable increased sharing of information between private and public sectors, which is absolutely critical," said Willemssen.

Also faulted at the hearing was the reliability of commercial software. Roberta Gross, the inspector general for the National Aeronautics and Space Administration, accused vendors of shipping software with vulnerabilities.

"If you want to talk about the public-private partnership, the private sector can start to be responsible," said Gross. "Off-the-shelf software cannot be coming on with vulnerabilities. There has got to be some warranties."