With the release of the 60-day cybersecurity review, the focus on securing federal IT and networks clearly took a big step up the agency management ladder.
When President Obama announced the report’s release this spring, he said: “To ensure accountability in federal agencies, cybersecurity will be designated as one of my key management priorities. Clear milestones and performance metrics will measure progress.”
Agency chiefs — even CIOs and CISOs — can’t become IT security traffic cops. But they will have to raise the stature of security within their organizations and be conversant in their individual agency’s programs. They also must be willing to share their experiences and remedies more extensively, both with other federal organizations and with those in industry that manage many of the nation’s critical infrastructures.
Over the past decade, cybersecurity, like IT, has gained increasing prominence in the power corridors of Washington. During the early days of George W. Bush’s administration, Richard Clarke, the first official cybersecurity adviser to the president, had an office in the Old Executive Office Building. Since then, many agencies have installed their own chief information security officers.
The issue today is fragmentation, according to Melissa Hathaway, acting senior director for cyberspace for the National Security and the Homeland Security councils. The U.S. government needs to enlist industry leaders and governments worldwide to establish an agreed-upon view of what is acceptable behavior in cyberspace, says Hathaway, who led the cybersecurity review. Only then can the federal government prioritize the actions that agencies must take to secure their systems and be assured systems beyond U.S. borders apply adequate security measures, she says.
This echoes the president’s statement that “when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should.”
Walk Before You Run
One thing all agency chiefs can do now, whether just arriving in Washington or continuing service to the government, is jump in to understand cybersecurity and the underlying network infrastructure of their agencies a little better. That knowledge will go a long way toward helping the government establish what Hathaway calls a common view of cyberspace.
This puts the onus on IT chiefs, CIOs and CISOs to provide information and guidance to senior managers, says Justice Department CIO Vance Hitch, co-chairman of the CIO Council’s Information Security and Identity Management Committee. It is IT’s job to help them and the agencies they lead become more proactive and thereby more secure.
A management dashboard for security offers one approach. The Veterans Affairs Department, for instance, created a business intelligence tool for IT security. The VA Incident Response Tracking System (VIRTS) lets the department’s security team parse, analyze and then elevate incident information based on the risk and potential harm to the department.
While it’s crucial that senior management be more involved in IT security, they also must avoid becoming mired in trivia. They can’t be pinged every time someone rushes the network gateway — imagine the alerts that would generate at the Pentagon alone, where literally thousands of breach attempts occur daily.
To get that common view, senior managers will need tools such as VIRTS so they can get quick snapshots of activity and analyze security trends over time, as VA executives do before sharing reports regularly with Congress.
But fundamentally, this sharing of cyberspace information must not become a FISMA reporting exercise on steroids; it needs to go beyond the inventorying commonly done for the Federal Information Security Management Act. The effort must lay the groundwork for addressing weaknesses in infrastructure — in the government, that means in agencies’ own systems and networks — that make it vulnerable to attack. Only then can the driving goal of the 60-day review be achieved: creating a national cyberinfrastructure that’s both trusted and resilient.