Government

Former cyber czar describes cybersecurity policy-making, faults FISMA

How did the first U.S. “cyber czar” describe his time as the nation’s assistant secretary for Cybersecurity and Communications (CS&C)? Quoting Mark Twain, Greg Garcia observed that “a man who carries a cat by a tail learns something he can learn in no other way.”

It was “like a paintball fight in an Escher painting” at the Department of Homeland Security (DHS), Garcia described, “with great affection.”

Jokes aside, Garcia, who spoke at the CA IT Government Expo this week in Washington, was clear in describing what it was like in the crucible of the DHS making cybersecurity policy. “Our adversaries right now are better organized and better motivated than we are,” he said. “We, as a nation, are at an inflection point in this national cybersecurity challenge. We have a foundation for organizational structure in the private sector. We need to build a trust framework. If you don’t have an affirmation of trust, even with the same team, you’re not going to be able to get to an effective real-time response.”

Garcia, who served as assistant secretary for CS&C from 2006 to 2008, broke down the components of the Comprehensive National Cyber Security Initiative (CNCI) that President Bush signed in January 2008. The CNCI consists of 12 elements aimed at improving cybersecurity on federal networks. “We were seeing terabytes of data flowing out of .gov networks,” said Garcia.

CNCI components include intrusion detection and prevention, research and development into so-called “leap ahead” technologies and better situational awareness, coordinated through the National Cybersecurity Center.

Garcia advocated for better counterintelligence for cybersecurity, “classified network security,” perhaps referring to the Einstein monitoring tool and improved cybereducation and training.

Echoing the NERC CSO’s remarks last month, Garcia has had to think through how deterrence strategy changes in cyberwar, especially when other nation states are in the electric grid or government networks. “What point does a cyberattack become an act of war?” he asked. “How do you make it more dangerous for our adversaries to attack us? A lot of it has to do with attribution.”

Garcia affirmed the need for a Federal Information Security Management Act (FISMA) for ISPs, but said that “it needs to be market-driven, at least for now, until we can determine if there’s market failure. Every infrastructure sector has different business models and risk models.” Garcia provided what may be a controversial example: an initiative where major investment banks came together and “designed their own FISMA, if you will,” with auditors to assess financial network security.

When it came to the utility of FISMA in assessing cybersecurity readiness, however, Garcia had few kind words. “FISMA has not been successful, primarily because it has been a box-checking exercise,” he said. “It is not evaluating security. That’s a very hard thing to do, because you have different threat models and vulnerability environments.”

Study links outsourcing, mobile workforce and cyberterrorism threats

A new study of top government IT executives conducted by the Ponemon Institute identified outsourcing, cyberterrorism and an increasingly mobile workforce as significant threats to data, government systems and the nation’s critical infrastructure.

IT executives from the Departments of Defense, Justice, Homeland Security and Health and Human Services represented the largest proportion of respondents to the study, which was sponsored by CA Inc.

The study found that 63 percent of respondents perceived the increasingly mobile workforce “as contributing significantly to endpoint security risks as a result of insecure mobile data-bearing devices that are susceptible to malware infections as well as insecure wireless connectivity.”

[Image by Getty Images via Daylife]

Perhaps reflecting the current zeitgeist around the “Government 2.0” movement and compliance concerns around enterprise 2.0 tools, the study showed that 79% of respondents see increased use of collaboration tools as a significant risk to data protection.

Specifically, the use of social computing platforms is increasing the storage of unstructured data that could contain sensitive information in a repository that is not effectively secured. Fifty-two percent of respondents identified the use of Web 2.0 applications as a vector for increased risk for sensitive data loss, including social networking, social messaging and wikis.

Unstructured data and outsourcing were viewed as the top two root causes creating increased cybersecurity risks for insecure sensitive and confidential information among respondents. This concern is reflected at the Department for Homeland Security, where application security has been referenced as both a supply chain risk and a cyberterrorism threat.

As reported by the study, 38% of respondents were unsure if there had been cybercrime on the network in the past year. What’s perhaps more significant is the 2% to 5% of people who know that it had happened. And that may not reflect the true total.

“I do feel the numbers are underreported,” said David Hansen, CA’s corporate vice president and general manager of the company’s security management unit. “In the past, cybercrime incidents have tended to be brushed under the carpet. More pressure on disclosure has forced some changes to happen and is helpful for awareness.”

Data breaches, by way of contrast, must be published or reported, and 34% of respondents said that their agency had experienced two to five data breaches in the past year. Overall, 75% of respondents said that their agency had experienced a data breach in the last year. Respondents overwhelming chose wireless networks as the primary threat vector, followed by endpoints and networks.

Finally, 48 % of respondents said their organization isn’t taking appropriate steps to comply with the Federal Information Security Management Act (FISMA) and 55% don’t have adequate security technologies to protect information assets and critical infrastructure.

“When I talk to government agencies, they look at FISMA compliance as a necessary evil,” said Hansen. “I think they might have to either redefine it to address new threats and create a lower common denominator or push for accountability.”

The question now, as bills like the ICE Act or the Cybersecurity Act work their way through Congress, is whether FISMA reform will adequately address the vulnerabilities that government IT executives are worried about.

“The problem is that, in many cases, government doesn’t have a lot of control of a lot of critical infrastructure, like manufacturing, power plants or private networks,” said Hansen. “Part of cybersecurity is about critical infrastructure and things that are not covered by FISMA. Most of those systems have no viruses or malware protection. That hasn’t been an issue because those systems weren’t connected to the Internet. Now, systems are being connected and are creating massive exposures that just weren’t there before.”

The Ponemon Institute’s “Cybersecurity Mega Trends” study is available for download from CA.com as a PDF.

White House launches GreenGov Challenge: Carbon compliance at hand?

On Monday, the White House announced a “bottom up” initiative to “green government,” launching a new initiative for federal employees to contribute ideas for energy efficiency. The GreenGov Challenge follows up on an Executive Order that President Barack Obama signed on Oct. 5 that directed federal agencies to appoint a sustainability officer and set emissions reductions targets for 2010.

Watch: Video of President Obama signing the Executive Order

In other words, so-called “carbon compliance” is now officially on the horizon line for the IT staff at federal agencies. If Congress decides to move forward with regulation of greenhouse gas emissions, CIOs at businesses in the private sector will also be faced with meeting new requirements.

Asking more than 1.8 million civilian employees and armed service members for their ideas on saving energy is bound to yield a good idea or three. Larger questions around implementation and measurement of enforcement of carbon emissions will be thornier and may not lend themselves to crowdsourcing.

As I wrote in today’s story, the role of sustainability software in carbon compliance is likely to be substantial. Another issue to be aware of is nascent competition in the market for electric metering in the smart grid. Google PowerMeter might run right up against the entrenched leader in smart metering software, a certain business software company located in Germany: SAP. As reported last year by SearchSAP.com, SAP is positioned for utility transformation as the smart grid develops. To be fair, Google is positioned at the consumer and small business level, while SAP is the definition of an enterprise software provider.

Given the pressure for homeowners, businesses and data center operators to become more sustainable in the years ahead, however, there’s likely to be room in the carbon compliance software market for both companies for some time to come.

Evaluating the cybersecurity plan and the role of a federal CISO

In this episode of the IT Compliance Advisor, Associate Editor Alexander B. Howard interviews Patricia Titus about the Obama Administration’s cybersecurity plan, the creation of a federal CISO and where policy might move in the coming months. Titus was formerly chief information security officer at the Transportation Security Administration within the U.S. Department of Homeland Security.

 

 Patricia Titus on cybersecurity: Play Now | Play in Popup | Download

When you listen to the podcast, you’ll hear Titus’ views on:

• What’s new in the cybersecurity plan?
• Why is it taking a while to name a cybersecurity coordinator?
• Where is the U.S. CISO?
• What would be the top challenges of a U.S. CISO, should one be appointed?
• What are the elemental needs for implementing cybersecurity across government agencies?
• How do the Rockefeller-Snowe Bill (S.773) and ICE Act fit into cybersecurity strategy?
• What would ramping up the nation’s offensive capabilities in cyberwar mean?
• What do compliance officers and CISOs need to think about this fall?

Note: Our colleague Mike Mimoso also interviewed Titus about the Obama cybersecurity plan in June for Security Wire Weekly, when the strategy was first released. The episode also features security luminary Howard Schmidt and Paul Kocher, chief scientist of Cryptography Research.

White House releases cybersecurity report on cyberspace policy

Earlier today, the White House released a long-awaited cybersecurity report, including a video (below) featuring commentary and perspective from officials and experts:

Melissa Hathaway, cybersecurity chief at the National Security Council, wrote the following “Securing Our Digital Future” entry on the White House blog:

“The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security.  The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine.  And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure.  These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future. Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law.

The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone — individuals, academia, industry, and governments — to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations.”

We’ll have more perspective and commentary next week on what this report will mean for compliance and security professionals. In the meantime, you can read the Cyberspace Policy Review for yourself.

[If you followed @ITCompliance on Twitter, by the way, you already knew all that.-Ed.]

Cybersecurity trends: Security and compliance aren’t the same thing

When I first blogged about my experience at RSA Conference 2009, I noted that cyberwar, compliance, virtualization and cloud security were key trends at RSA. A week later, I still see that as an accurate statement, but it’s one that fails to capture a shift in the larger context of information security in 2009.

It’s not enough to be compliant anymore; organizations must actually be secure.

Security and compliance officers understand the distinction, of course, but guidance is now coming down from top scientists and, if recent legislation in Washington passes, directly from the federal government. Just read “ICE Act would restructure cybersecurity rule, create White House post” and “Kill-switch bill would add certification, licensing burdens” to see what may be coming down the pike.

I gained perspective on this trend towards actual security as opposed to rubber-stamped compliance throughout RSA. Speakers, panel sessions, analysts and informal conversations with security practitioners all reiterated that security and compliance aren’t he same thing.

Alan Paller, director of research at SANS, said he sees the shift from compliance to actual security as long overdue — and driven directly by the Department of Defense. As Paller sees it, the “20 Critical Controls,” or consensus audit guidelines (CAG), are the new gold standard for security and compliance for federal agencies, defense contractors and all other parts of the nation’s critical infrastructure.

The Commission on Cybersecurity for the 44th Presidency, headquarted at the Center for Strategic and International Studies, released a cybersecurity report that supports and extends these controls. Former USAF CIO John Gilligan has been driving discussion and implementation of these controls through the national defense infrastructure. As Paller noted in an interview, it’s key to know what metrics matter. Without guidance, “people will dashboard all the wrong data. It’s like keeping a garage clean but not bothering to lock the door.” Paller says that the SANS Institute is shifting its training for security and compliance professionals to “the controls that matter” under CAG, focusing on actual security. That means hardening software, hardware and infrastructure after taking inventory of all assets, as mandated by NERC compliance requirements. “Government agencies must be required to comply with a set of prioritized controls that actually stop attacks.”

Peter Firstbrook, a Gartner analyst for security, said he sees considerable frustration regarding the mismatch between security and compliance on the part of enterprise executives in the private sector. The trends that he sees are towards “minimizing the attack surface,” where security isn’t addressed with patches nor compliance with checklists. Organizations are doing due diligence with regards to gap analysis and taking inventory of both proprietary and protected data. That’s key, since Firstbrook has observed that malware is getting more and more intelligent. “There’s a huge infection of targeted attacks that disable endpoint security.”

Firstbrook also extended a biological metaphor to the security challenges faced by organizations in the current landscape of shifting threats: “Patches are like a visit to the ER. The key is to understand AV, software, hardware, viruses and worms as part of an ecosystem of threats and to engage in preventive ‘medicine’ beforehand. Conficker was avoidable.”

How will the Massachusetts Data Protection Law affect IT compliance?

The Massachusetts Office of Consumer Affairs and Business Regulation established a significant new regulations in 2008, 201 CMR 17.00: Standards for The Protection of Personal Information. The strict new data protection law was set to take effect on January 1, 2009.

After the shift in the nation’s macroeconomic climate and strong resistance by state business leaders, however, the deadline for compliance with the basic provisions of the law was extended to May 1, 2009.

I’ll be traveling to Waltham to try to livestream the state’s public hearings on the legislation. Assuming that no technical difficulties occur in our use of uStream.com, you’ll be able to watch a webcast of the proceedings and ask question through the integrated chatroom. An archived version of the event will also be available for on-demand viewing.

We’re also preparing a podcast that will examines the new law from the perspective of a compliance software expert, a security expert and the Massachusetts Office of Consumer Affairs and Business Regulation MIS officer. You can expect the podcast to become available later this week.

Dr. John Halamka, CIO of CareGroup Health System and CIO/Dean for Technology at Harvard Medical School, provided some perspective on the relationship of the new MA data protection law to healthcare compliance on his blog.

UPDATE: Due to the expected 4-7″ of snow falling here in Massachusetts, the Greater Boston Network Users Group has cancelled today’s Q&A with David A. Murray, General Counsel and Gerry Young, CIO. Details are posted at the calendar at BNUG.org. We’ll update you when the next hearing is scheduled.