From: GovInfoSecurity.com
Strengthening Government IT Security without New Laws
By Eric Chabrow
A group of highly respected IT security thought leaders is calling on the Obama administration to exercise existing powers to strengthen the processes the federal government employs to secure its information systems.
A white paper issued through the Center for Strategic and International Studies recommends that the White House Office of Management and Budget update nearly 12-year-old guidance, OMB Circular A-130, to require agencies to implement automated continuous monitoring to detect and mitigate vulnerabilities in agencies’ IT systems. The report also recommends the government grant more authority to the Department of Homeland Security to identify security controls federal civilian agencies should deploy and identity ways to have civilian and national security/defense agencies’ IT systems to work together to protect critical IT systems.
Many elements of the recommendations in the 20-page paper, Updating U.S. Federal Cybersecurity Policy and Guidance: Spending Scarce Taxpayer Dollars on Security Programs that Work, are being implemented by the administration. “We’re as much trying to give impetus to efforts already underway as claiming, as Columbus might have, to have discovered a new land,” report coauthor Franklin Reeder, a former OMB executive, says in an interview with Information Security Media Group’s GovInfoSecurity.
A cofounder of the Center for Internet Security, which operates the Multi-State Information Sharing and Analysis Center, Reeder coauthored the report with Dan Chenok, chairman of the federal government’s Information Security and Privacy Advisory Board; Karen Evans, national director of the U.S. Cyber Challenge; James Lewis; senior fellow and director of the CSIS Technology and Public Policy Program; and Alan Paller, founder of the SANS Institute, an IT security training organization.
Reducing IT Vulnerability
The paper outlines a series of steps that the administration could take to reduce the vulnerability of governments systems including:
- Requiring automated continuous monitoring, measurement and mitigation technologies to monitor the behavior of government networks, generate quantifiable data that let them identify, report and measure risk, and take rapid action to resolve problems.
- Recognizing the growing importance of the role of the DHS and assigning it responsibility for establishing the priority of security controls to guide agency implementation of continuous monitoring and mitigation, recommending minimum security controls for agencies to implement, based on analysis of risks common across the government, and providing this minimum control and priority list to inspectors general to guide their assessment of agency performance.
- Identifying ways to cross over the anachronistic, bright line established between national security and non-national security systems to deal with the reality that “in a world in which a cyberattack on our public utilities or our credit and banking systems could be as devastating as an attack on the control systems for a weapons system.”
The recommendations mirror provisions in the Cybersecurity Act of 2012, comprehensive IT security legislation stalled in the U.S. Senate over other provisions that deal with the role of government in establishing IT security best practices for the mostly privately owned national critical IT infrastructure.
The authors also encourage the government to focus more on “information” itself as opposed to the technology and application employed to supply or create the information. “The shift of the focus to information recognizes the constantly changing technology environment and allows agencies to take advantage of the most up-to-date solutions, while taking into consideration the risk associated with their deployment,” the report says. “Additionally, this only assists in prioritizing the overall review of information resources. The approach would need to be used in conjunction with the continuous monitoring in order to adequately assess the risk profile associated with the agencies’ services.”
In the interview, Reeder says expanding continuous monitoring detection and mitigation shouldn’t cost the government money because it would eliminate the need for triennial, paper-based reviews agencies conduct under the Federal Information Security Management Act that costs agencies tens of millions of dollars, a process coauthor Paller labels “security by three-ring binder” and which the authors say has very little affect on security. “We think that would more than cover the cost of implementing the kinds of security automation that universal adoption of continuous motioning detection and mitigation would require,” Reeder says.
The Center for Strategic and International Studies also sponsored the Commission on Cybersecurity for the 44th Presidency in 2008, which issued a report that the new Obama administration in 2009 used as a basis for its cyberspace review. Elements of the commission findings also found their way into legislation sponsored by a number of lawmakers.
Leave a Reply