July 4 cyberattack called 'very minor'

• Article
• Comments ()
• Click-2-Listen
• Videos

By Shaun Waterman THE WASHINGTON TIMES

"It's pathetic" that some agencies' Web sites were unable to withstand the attack, Mr. Lewis said.

The Homeland Security official said not all Web sites required the same level of security, and that it was important to distinguish between sites that were just there as a shop window and those with which the public might have to interact, or that housed sensitive or confidential information.

"It makes sense for everyone that Web sites are sized appropriate to their mission," the official said; "different sites have different resilience needs."

For a site that was there simply to give information to the public, the key security issue would be integrity -- ensuring that the data was accurate and could not be tampered with. Availability -- ensuring that everyone was always able to reach the site quickly and easily -- would be a secondary issue. "There are different ways to do your risk assessments [about the threat posed by various kinds of cyberattacks] depending on your mission," the official said.

"DDOS attacks don't cause any lasting damage," the official added.

Although the attacks continued through the week, all the affected government sites were back up and running by Tuesday night at the latest. "It was handled well and handled quickly," the official concluded.

But the fact that such a simple, and relatively small-scale attack was able to knock several government Web sites offline altogether, albeit temporarily, gave some specialists pause.

Although there were many more government sites that were able to cope with the flood of data, those that went down "weren't at the right starting point" in terms of their security, said Dale Meyerrose, a former chief information officer for the director of national intelligence.

"There is a fundamental baseline that needs to be moved up," said Mr. Meyerrose, now an executive with Melbourne, Fla.-based government technology contractor Harris Corp.

Mr. Sachs said the technology to deal with crude DDOS attacks was widely available. "We know how to deal with these," he said. "This is not a technical issue, it's a leadership issue."

"Departments and agencies need to be learning from the past, from the mistakes the private sector has made" that left early e-commerce sites vulnerable to DDOS attack, Mr. Sachs said.

Mr. Lewis said part of the problem was that, although much good work was being done there, the Department of Homeland Security -- the agency charged with leading the U.S. response -- had too little clout within government. "They have an authority issue," he said. "Too many other agencies tend to regard their advice as optional."

White House spokesman Nick Shapiro said cybersecurity is "a major priority" for President Obama and cited "a top-to-bottom review of the federal government's efforts to defend our information and communications infrastructure" that Mr. Obama ordered upon taking office.

The review recommended the appointment of a White House czar to take responsibility for cybersecurity across the federal government.

"The president gets it," Mr. Meyerrose said. "Leadership needs to come out of the White House."

But he cautioned that the devil would be in the details of the appointment. "The responsibilities and tools" the new cybersecurity coordinator would have "are still to be determined," he said.