Department of Homeland Security

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency – the administration that will take office in January 2009.  The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure.

The EDUCAUSE/Internet2 Security Task Force has been invited to provide input to the Commission and welcomes your comments in the following areas:

In a hearing before the U.S. House of Representatives Homeland Security Committee Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, subcommittee chair Rep. James R. Langevin (Dem.-RI) said, “I have great apprehension about the current framework DHS is creating with the sector specific plans (SSP’s) as they relate to cybersecurity.”  He continued, “The Federal government and the American people want to ensure there is a high level of cybersecurity protections on our critical infrastructure.

The U.S. House of Representatives has introduced H. Res. 716 "expressing the sense of Congress with respect to raising awareness and enhancing the state of computer security in the United States, and supporting the goals and ideals of National Cyber Security Awareness Month." The resolution was presented by Rep. James R. Langevin (Dem-RI), chair of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee.

While introducing the resolution on the House floor, Rep. Langevin said:

A Federal Register Notice has been published for the Department of Homeland Security's "Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development." The deadline for comments is December 7, 2007.

According to the Notice:

More information, including a downloadable version of the IT Security EBK, is available at http://www.us-cert.gov/ITSecurityEBK/

The 7th Annual Computer Security Report Card at Federal Departments and Agencies gave the government an overall grade of C- which is up from a D+ the previous two years. Other notable changes include:

• NSF received an A+ in 2006, rebounding sharply from a C+ it received in 2004
• NASA received a D- in 2006 - the same grade it received in 2003 and 2004 - although its grade temporarily jumped to a B- in 2005
• The Department of Defense and Department of Education both received an F in 2006
• The Department of Veterans Affairs, infamous for its lost laptop that exposed the records of 26.5 million veterans in 2006, failed to submit a FY06 FISMA Report. The VA had received an F in the previous two years.

The full report is attached or available at http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf

 

The Emerging Threats, Cybersecurity, and Science and Technology Subcommittee of the Homeland Security Committee in the U.S. House of Representatives held a hearing yesterday on the topic of “Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security”. Chairman Rep. James Langevin (Dem-RI) commented, "It was a shock and disappointment to learn that the Department of Homeland Security - the agency charged with being the lead in our national cybersecurity - has suffered so many significant security incidents on its networks."

The full committee chairman, Rep. Bennie Thompson (Dem-Miss), asked:

Freeman A. Hrabowski, president of the University of Maryland, Baltimore County, will present a keynote session on aligning IT innovation with institutional strategic priorities and panelists will discuss the impact of Homeland Security issues on higher education at the Mid-Atlantic Regional Conference 2007, January 17–19, in Baltimore, Maryland. The conference program will also cover secure infrastructure solutions for the digital campus, solutions for using technology to enhance teaching and learning, practical enterprise solutions for tomorrow’s challenges, and the leadership challenge of the unified campus. Register by December 15 to receive discounted rates.

The US Department of Homeland Security (DHS) has issued guidance that everyone should install patch MS06-040 for Microsoft Windows systems. There doesn't appear to be any information released about what makes this patch any more significant than any of the others from Microsoft.

More comprehensive information about security issues is available, as always, from US-CERT. Their list of alerts also shows that it's not just the "usual suspects" of Microsoft and Internet Explorer that are causing problems, but the likes of Oracle, Mozilla, Apple and Sendmail.

A project funded by the US Department of Homeland Security has discovered a bug in X11, the display system used across a wide range of POSIX systems (linux, BSD, and unix) as well as used for platform independence on Microsoft Windows and Apple Macs.

The bug is very serious, but remote activation appears to be blocked by most firewalls, which block remote access to X11. Fixes have already been rolled out for most platforms.

The X11 system seperates the display (or windowing) system from other parts of the operating system. It enforces security seperations and allows remote access, by exposing physical screens as servers (literally, the service they provide is that of displaying data to the user). The X11 protocol is widely supported by a number of operating systems (who provide the servers), applications (who use the service) and utilities. The widely used GTK and QT windowing toolkits typically sit on top of X11 and allow applications to manipulate it in terms of hihg-level objects.