Cybersecurity

5 Fed Cybersecurity Priorities for the Summer Summertime Action: Naming a cyber czar, reforming FISMA, securing the cloud, enhancing R&D and updating the Privacy Act.
A sleepy summer in Washington in regards to cybersecurity? Forgetaboutit! From 1600 Pennsylvania Avenue to Capitol Hill, to the suburban outskirts of the capital, administration officials, Congressional staffers and IT security bureaucrats are pushing ahead on legislation and policy regarding the securing of government IT and protect citizens online privacy.

The five top cybersecurity priorities the government is tackling this summer are Naming a Cybersecurity Czar, Reforming the Federal Information Security Management Act, Securing Cloud Computing, Enhancing Cybersecurity R&D and Updating the Privacy Act.

1. Naming a Cybersecurity Czar

When President Obama outlined his administration's cybersecurity policy late last month, he disappointed some by not naming a senior White House cybersecurity adviser. Many government IT security experts have called for a high-level czar who would have the president's ear. The president referred to the post as a cybersecurity coordinator, suggesting a not-as-influential aide. Either way, the president is expected to name presently someone to that post.

"A coordinator is a good thing to have, compared to what we had before," says Eugene Spafford, head of Purdue University's Center for Education and Research in Information Assurance and Security one of the nation's foremost experts in information security. "The problem with such a position is that it reports up through several levels of different organizations before getting to the president. Whoever is in that position doesn't have any ability to set policies that are going to be adhered to by executive branch agencies. That person doesn't have any budget authority, other than what they can persuade the Office of Management Budget or other organizations within the Executive Office of the President."

Tom Stanton, a fellow at the Center for the Study of American Government at Johns Hopkins University, says President Obama should choose someone as the cybersecurity czar like John Koskinen, who as the deputy director of the Office of Management and Budget in the late 1990s and helped guide the governments year 2000 remediation efforts. "You need somebody in the czar position ... who has John Koskinen's ability to herd ducks, to get these agencies, for all of their turf issues, for all of their infirmities, for all of their distraction to other elements of their mission, to focus on this and get it done," Stanton says.

Among names mentioned as possible White House cybersecurity advisors: former Rep. Tom Davis, onetime chair of House panel with IT oversight; National Security Council team member Melissa Hathaway, who ran the administration's cybersecurity review; Fred Kramer, assistant defense secretary for international security affairs under President Clinton; Howard Schmidt, former Microsoft chief security advisor and former adviser to Bush on cyberspace security; Paul Kurtz, Obama advisor who served in the National Security Council under Bush and Clinton; Susan Landeau, a Sun Microsystems's distinguished engineer with cybersecurity and public policy expertise; Maureen Bainski, a former FBI intelligence leader; and Scott Charney, head of Microsoft's cybersecurity division.

On Tuesday, Davis withdrew his name from consideration.

2. Reforming FISMA

Staffers on the Senate Committee on Homeland Security and Governmental Affairs are refining legislation introduced this spring that would revise the seven-year-old Federal Information Security Management Act, the law that provides direction on how the government governs information security.

Two bills have received the most attention: the United States Information and Communications Enhancement Act, or U.S. ICE, sponsored by Sen. Tom Carper, D.-Del., and another measure, the Cybersecurity Act of 2009, sponsored by Sen. Jay Rockefeller, D.-W.Va.

Carper, who chairs the committee's subcommittee that provides government IT oversight, says he intends to work closely with the Obama administration in drafting a final version of U.S. ICE that gets buy-in from various constituencies. Here's what Carper said in an interview with GovInfoSecurity.com earlier this year about working with the new White House team: "Once they get settled in, we'll have an opportunity to clearly signal to the new leadership team that this is something ... we very much want to do that in this new Congress with this new administration, but to do it in a partnership. Not our way or the highway, but in a real partnership."

Rockefeller's proposed Cybersecurity Act is the more controversial of the two, and includes a provision to allow the president to declare a cybersecurity emergency and shutdown Internet traffic to and from government IT systems and the nation's critical IT infrastructure.

The Senate committee is expected to produce one final cybersecurity measure, but the timing of its release hasn't been set. Carper, in the interview, says he expects Obama to sign the new cybersecurity bill by his birthday: Jan. 23.

3. Securing Cloud Computing

Federal CIO Vivek Kundra has made cloud computing - in which applications and services are hosted on servers accessed over the Internet - a major priority of the Obama White House to drive efficiency and lower computing costs. But, because cloud computing requires use of the public Internet, security is a major barrier from widespread adoption of the technology.

A team of computer scientists, headed by Peter Mell, at the National Institute of Standards and Technology is working on a series of special publications it hopes to publish by fall that would provide guidance on how federal agencies can be use cloud computing and assure government IT systems and data are secure.

"Everybody is very interested in ensuring security," Mell says. "What I see most discussed is security compliance issues. Can I document it, implement it, test it and show that it meets the federal government requirements for the security assistance?"

Among the cloud computing's security challenges NIST scientists have identified include conflicts with existing data dispersal and international privacy laws, data ownership, service guarantees, securing virtual machines, massive outages and encryption needs. Other concerns the NIST computer scientists raised included moving personal identifiable information and sensitive data to the cloud, using service-level agreements to obtain cloud security, contingency planning and disaster recovery for cloud implementations and handling compliance.

4. Enhancing Cybersecurity R&D

Policymakers recognize that cybersecurity research and development has been inadequate, and it will take more than increased funding but innovative ways to tackle the challenge. The government budgeted this fiscal year a mere 0.2 percent, or $300 million, of its R&D budget on information security, an amount the Commission on Cybersecurity for the 44th Presidency deems inadequate.

"It's a question of prioritization, and looking at the cybersecurity budget overall and the entire (government IT) R&D budget, and whether it's aligned with the environment we live in today," says commission member Dan Chenok, chairman of the Federal Information Security and Privacy Advisory Board. "Are we doing R&D on the IT problems of tomorrow, or are we still doing R&D on the projects created 10 years ago? It's not necessarily a question of new money, but also involves better aligning research that's already there."

And, Congress is spending this month looking into just. Subcommittees of the House Committee on Science and Technology are holding a series of hearings on cybersecurity, including the need to inject new thinking in how IT security R&D is approached. "We need to re-imagine the scope of the cybersecurity problem itself and refocus our attention the same way our adversaries have refocused," testified Fred Schneider, a Cornell University computer science professor before the House Subcommittee on Research and Science Education. "We cannot afford simply to develop technologies that plug holes faster; we need to think of security research more holistically, determining how most efficiently to block, disrupt or disincentivize opponents."

Commitment for a new approach to R&D from the Obama administration came in an exchange between federal Chief Technology Officer Aneesh Chopra and Sen. Ben Nelson, D.-Fla., in which the CTO promised he "would emphasize a research program on 'game-changing' ideas in cybersecurity, to find new ideas that might transform the nation's information infrastructure to be more secure and simpler to understand and use. The goal is to make it 'easy to do the right thing, hard to do the wrong thing, and easy to recover when the wrong thing happens anyway.'"

Indeed, a near-term objective of Obama's cybersecurity report is the development of a framework for R&D strategies that focus on those game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure. In his cybersecurity address, President Obama called for the strengthening of the public/private partnership to propel secure IT innovation. "We will collaborate with industry to find technology solutions that ensure our security and promote prosperity," Obama says.

5. Updating the Privacy Act

Enacted 35 years ago, provisions in federal Privacy Act have failed to keep pace with changing IT, inhibiting the government from employing some technologies to help run government efficiently and raising concerns whether citizen privacy is protected. "New technologies are generating new questions and concerns; and government use of private-sector databases now allows the collection and use of detailed personal information with little privacy protections," says Chenok, the chair of advisory board, which last month issued recommendations to update the Privacy Act.

The panel recommends the creation of a federal chief privacy officer and chief privacy officers in each major federal agency. "The structure of privacy governance and leadership has not kept pace with the need to marshal the government's resources effectively in light of changing technology," Chenok says. "Essentially, privacy is a piece of a job of a lot of different people. ... But, there's not really a governance framework in any systematic way that provides for leadership at key levels."

Among the technologies that the law has failed to keep pace with are cookies, code secreted in users' browsers that lets websites recognize visitors and track their onsite preferences. Cookies didn't exist when Congress enacted the Privacy Act in 1974. Since 2000, the government has restricted use of cookies, a practice federal CIO Kundra believes should be reconsidered. Any upgrade of the Privacy Act is expected to address cookies. Federal CIO Kundra suggests a change in cookie policy may come. Coauthoring a White House blog earlier this month, Kundra writes: "Website cookies have become more mainstream as users want sites to recognize their preferences or keep track of the items in their online shopping carts. We've heard a lot of feedback on this area."

A draft of a new Privacy Act will be presented to the Senate later this month by the Center for Democracy and Technology, a public interest group that's been hosting a wiki, at eprivacyact.org, to allow any interested party to help craft the new bill. CDT Chief Operating Officer Ari Schwartz says the group has been in touch with Sen. Daniel Akaka, D.-Hawaii, and plans to send him the draft presently hoping a bill can be introduced by Independence Day, the unofficial deadline for most bills to be considered for enactment this calendar year.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.





Around the Network