Wednesday, September 23, 2009
Federal Cyber Security: Still No Answer
To his credit, President Obama has been working on this issue. In February, he commissioned a cyberspace policy review led by Melissa Hathaway. In May, Mr. Obama held a press conference to highlight the findings and recommendations of the final report drawn up by Hathaway's team. He then pledged to follow its top recommendation and appoint a coordinator to oversee federal cyber security programs as soon as possible.
We're still waiting.
As of this writing, the federal cyber security coordinator position remains open, much to the chagrin of the security community. Annoyed by the delay, House cyber security caucus co-chairs Jim Langevin (D-RI) and Mike McCaul (R-TX) recently urged the president to accelerate the hiring process.
At some point, the president is likely to find and appoint a qualified person - probably sooner, rather than later - and when he or she finally arrives, there will be little time for on-the-job training. -the state of cyber security today demands immediate action. Unlike politics, cyber criminals aren’t waiting for the next election before they take action. Here are the most pressing items on the agenda awaiting attention:
According to a GAO report of May 25, 2009 titled, Cybersecurity, Continued Federal Efforts are Needed to Protect Critical Systems and Information the Department of Homeland Security (DHS) and US-CERT have a number of major problems. The report states, "without fully implementing the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission." Translation: If we have a major cyber security attack we could be in big trouble. This situation must be fixed immediately.
• Train the public Let’s face it - most people who own a computer have little knowledge about security risks or best practices. Ultimately this ignorance puts our country at risk. Why? User identities get stolen and PCs turn into zombies as part of global botnets capable of attacking critical assets. We need a "Smokey the Bear" like public awareness campaign accompanied by real training programs spanning K-12, college, and continuing education.
• Champion a National ID program
Europe is way ahead on this front - Americans are extremely paranoid about privacy and "Big Brother." Nevertheless, a nation ID could improve security and have peripheral benefits in healthcare information sharing, e-government programs, etc. Yes, it’s a political hot potato which is why a political appointee like the Cyber security Coordinator should champion this cause.
• Act as a cyber security watchdog
Cyber security programs are in constant danger of being co-opted by DOD and NSA which is sure to alienate the private sector. The cyber security coordinator needs to balance military skills with civilian requirements. Additionally, the cyber security coordinator needs to protect cyber security from fat-cat politicians who look to steer cyber security dollars toward pork barrel projects. Someone needs to call these guys to task if they stick their hands out.
• Fix the cyber security personnel problem
Think that the Federal government can attract the best and brightest cyber security professionals? Think again. According to a recent report published by the Partnership for Public Service, the Federal government is way behind in IT skills development, recruiting, and competing for talent with the private sector. Lacking security professionals the Feds turn cyber security programs over to expensive government integrators at the taxpayer’s expense. The new Cyber security Coordinator must work with the Office of Personnel Management and other agencies to streamline recruiting, fund college cyber security curriculums, bolster training, and develop career paths.
• Push through FISMA 2.0
The Federal Information Security Management Act (FISMA) of 2002 is a dinosaur that doesn’t work. At the same time, an alternative dubbed FISMA 2.0 is moving through Congress at a snail’s pace. The cyber security coordinator needs to get in Congress’s face to wrap this up by the end of the year.
• Push for Federal data privacy standards
As of this writing, there are 45 U.S. States and territories with varying data privacy laws not to mention Federal statutes like GLBA, HIPAA, and SOX. It is extremely cumbersome and expensive for organizations to interpret these laws, develop controls, and prepare for audits. The Cyber security coordinator should work with legislators like Senator Diane Feinstein (D-CA) to supersede these tactical laws with overarching Federal privacy legislation.
• Lobby for security compliance incentives for the private sector
The private sector is fed up with new regulation and mandates that carry lots of cost and no rewards. The cyber security coordinator needs to work with Congress to create compliance incentives like tax credits or priority status for new Federal contracts. More carrot, less stick.
• Unify cyber security communications
Unless you’ve spent years in the federal Government, you probably can’t make heads-or-tails of all of the cyber security programs, agencies, and acronyms. Cyber security federal-speak is simply ignored by the time-constrained private sector. The cyber security coordinator needs to unify communications, simplify programs, and get the private sector on board with federal initiatives.
• Become the cyber security face of the United States to the rest of the world
The cyber security coordinator must push for law enforcement standards and cooperation with other nations around the world.