A couple of recommendations for the new cybersecurity czar

As an immediate result of the 60-day review of the state of federal cybersecurity activities conducted at the behest of the Obama administration, the president announced he will (as has been anticipated) appoint a federal cybersecurity czar in the executive office of the president to direct security policy for the government. In general this should be seen as a positive move, but assuming this new position will not come with significant control over resource allocations or individual agency-level provisions of security measures, just creating the position is of course insufficient to ensure any real improvements in government security posture. It remains to be seen how the position will be structured or what the extent of the responsibilities and powers are that accrue to the post, but there are a couple of things that the administration might want to keep in mind to make this move a success.

The first consideration is how to set an appropriate scope for the sphere of influence the federal cybersecurity director will have. There are a variety of opinions circulating in various draft cybersecurity bills in both houses of Congress, within DHS, OMB, DOD and other key agencies with current responsibility for cyber defense, critical infrastructure protection, and other relevant mission areas. Historically cross-government approaches for security have been quite limited in the set of services or standards they seek to specify for all agencies. The Information Systems Security Line of Business (ISSLOB) chartered by OMB, for instance, only provides two common security services – FISMA reporting and security awareness training – that are more amenable to a “same-for-everyone” approach than some more sensitive services like vulnerability scanning or intrusion detection might be. Having said that, the Department of Homeland Security is moving ahead with the next generation of the Einstein network monitoring program, which would mandate real-time intrusion detection and prevention sensors on all federal network traffic. Government agencies are in the process of consolidating their Internet points of presence under the Trusted Internet Connectivity initiative, in part to facilitate government-wide monitoring with Einstein. There has also been progress made in specifying minimum security configuration settings for desktop computer operating systems (the Federal Desktop Core Configuration) and providing a freely available tool to help agencies check to see that their workstations comply with the standard. So, while there are some good examples to point to for true government-wide standards, it may be difficult to even try to apply consistent security measures on a government-wide basis.

The early write-ups on the new position suggest that a key aspect of the role will be directing cybersecurity policy. In contrast to some of the technical layers of security architecture, policy is an area where some comprehensive guidance or minimum standards would be a welcome addition to managing information security programs in government agencies. The current state of the government leaves the determination of security drivers, requirements, and corresponding levels of risk tolerance to each agency or, in some cases, to each major organizational unit. This results in a system where most or all agencies follow similar processes for evaluating risk, but vary significantly in whether they choose to mitigate that risk and how they choose to do so. Federal information security management is handled in a federated approach and is quite subjective in its execution. This subjectivity results in wide disparities in responses to threats and vulnerabilities, because what one agency considers an acceptable risk may be a show-stopper for another.

So the new cybersecurity czar should develop and issue a set of security policies for all federal agencies, along with appropriate existing or updated standards and procedures on how to realize the security objectives articulated in those policies. It would also be nice, where appropriate, to see the administration break from the Congressional tradition of never specifying or mandating technical methods or tools. The language on protecting public health information from breaches and required disclosures of breaches in the HITECH Act didn’t even use the word “encryption” but instead specified a need to make data “unusable, unreadable, or otherwise indecipherable.” No one should suggest that the administration tell its cabinet agencies to all go out and buy the same firewall, but there are opportunities in areas such as identity verification, authentication, and authorization where the reluctance to suggest a common technology or approach creates its own set of obstacles.