May 14 2009

Brief Byte: Cybersecurity Strategy

Take a Page from Defense's C2 Strategy

Some federal technology and security experts, if asked, will say that cybersecurity attacks on the level of a digital Pearl Harbor aren’t looming on the horizon — they believe they’ve already transpired.

“The mini Pearl Harbors are happening every day,” warns Vance Hitch, CIO at the Justice Department. “In private industry, it’s financial and identity thefts; in the government, it’s our digital capital. It’s nation states that understand the policies and underpinnings of our government, and they are making targeted strikes on federal systems.”


According to Eric Cole, an instructor for the SANS Institute and a senior scientist at Lockheed Martin, the cost of attacks over the past 18 to 20 months adds up to $1.5 billion — deadly strikes, minus the loss of life.

As a whole, the government needs to do more to figure out how to find efficiencies in security programs and practices. “When push becomes shove, we need a command and control structure to prevent cybersecurity tragedies from happening,” Hitch says. “You don’t need it every day; but when you need it, you need it.”

He advises civilian agencies to take a page from the Defense Department playbook. “DOD is better at this than the civilian side of government because it’s part of the culture there,” he says.

To help that effort along, Hitch is co-chairing the new Information Security and Identity Management Committee of the CIO Council that will provide guidance and pointers on practical priorities to the White House, Office of Management and Budget, and National Institute of Standards and Technology.



Off the Shelf

What: Bureaucracy: What Government Agencies Do and Why They Do It by James Q. Wilson

Recommended by: Dan Cotter, chief technology officer at the Homeland Security Department

Why: This book delves into the idea that “it’s silly to try and treat government like a private enterprise.” There are burdens in the government that do not exist in a private enterprise. “In government, we must do stuff that is equitable and that we can be accountable for, and we have to do things that a private group would not — such as send our sons and daughters to war and pay people tax refunds.”

In private organizations, the goal is to spend the least amount of money to make a good return. That’s a very different driver when it comes to technology use and innovation.

Takeaway: In some ways, it’s smart for the government to be a late adopter so that there is not so much risk expended that the government cannot meet the mandate to serve the taxpayer efficiently — with equity and accountability. For any technology project being considered, agencies must ask themselves: “Does it do something better than the technology we have now? What does the technology bring to the mission?”