The FISMA Focus IPD

Are We Ready for a Financial Cyber Attack?

Source: Wall Street Journal

An assault on Estonia in 2007 disrupted banking and other services for over a week.

In September 2009, the Obama Administration announced the Federal Cloud Computing Initiative.  As the government’s CIO explained, cloud computing “has the potential to greatly reduce waste, increase data center efficiency and utilization rates, and lower operating costs.”  The Federal Risk and Authorization Management Program (FedRAMP) addresses the key elements of a cloud computing framework for federal agencies.

Federal use of “shared pool of configurable computing resources” does, however, present special cybersecurity challenges – particularly with regard to continuous monitoring.

An Audit Report by NASA’s Office of Inspector General found that “six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations.”

The IG report warned that “the Agency is vulnerable to computer incidents that could have a severe to catastrophic adverse effect on Agency assets, operations, or personnel.”

NIST’s Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View was described by the agency as “the capstone publication” of the Joint Task Force, “a federal cyber security partnership made up of the Department of Defense, the Intelligence Community and NIST.”

Of particular note, SP 800-39 introduced the

three-tiered risk management approach that recommends federal agencies focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how information security risk is assessed, responded to, and monitored over time in the context of critical missions and business functions.

 In testimony before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, GAO emphasized the need to improve the nation’s capacity to protect against cyber threats.  Of particular note, GAO emphasized the need for federal-private sector cooperation in securing critical infrastructure.

As GAO explained,

We recommended that the national Cybersecurity Coordinator and DHS work with their federal and private sector partners to enhance information-sharing efforts, including leveraging a central focal point for sharing information among the private sector, civilian government, law enforcement, the military, and the intelligence community.

GAO’s complete testimony is attached below.

GAO-CYBERSECURITY