Czar Prospect Offers Cybersecurity Vision

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Scott Charney wasn't auditioning to be President Obama's cybersecurity adviser, but his appearance Thursday before a House panel shows why the Microsoft executive is considered by some to be a leading candidate for the White House job.

In testimony before the House Committee on Science and Technology's Subcommittee on Technology and Innovation, the Microsoft corporate vice president of trustworthy computing provided details on a plan to exploit complementary capabilities at the Department of Homeland Security and the National Institute of Standards and Technology to create what he called a "hybrid model for information security that improves security across the federal enterprise and fosters agility to counter ever-changing threats."

And, in discussing the relationship between government and business to jointly safeguard federal IT systems and the nation's critical IT infrastructure, Charney offered astute observations on such a challenge. "Early efforts on partnership focused on information sharing. The problem is that information sharing is not an objective, it's a tool," he said. "You share information so you can do something. Sharing information just for the sake of sharing information doesn't make any operational change that makes security better. So, the first problem was the wrong focus, focus on sharing instead of action."

Charney - who co-chaired the highly respected Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency - hasn't publicly said he'd take the White House post if offered, but during the hearing Committee Chairman David Wu, D.-Ore., and ranking minority member Adrian Smith, R.-Neb., were deferential to all witnesses, but seem to focus more attention on Charney than the others. And he didn't disappoint, showing his wide knowledge of the challenges facing the government in securing IT.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Hybrid Cybersecurity Model

In his testimony, Charney said some elements of cybersecurity are common throughout government, such as developing IT security plans and implementing the Federal Desktop Core Configuration, which requires purchased PCs and laptops be preinstalled with specific security controls. Yet, he pointed out how diverse various components of federal government are from one another in terms of functions and systems. "A fully centralized model for managing security will not work," he said. "Each agency has a unique security paradigm with different threats, so each agency needs to mange its own risk."

Still, he said, if some security controls should be applied uniformly across the government, but other controls need to be tailored to address specific agencies' missions and risk, a hybrid model must be fashioned. Such a model, he said, would include a centrally managed horizontal security function to provide a foundation of governmentwide policy, standards, and oversight; as well as vertical security functions resident in individual agencies to manage their risks.

In this hybrid model, Charney said, DHS and NIST would provide a horizontal and individual agencies would have vertical functions. DHS would develop minimum baselines for security and work with the standards community where appropriate. It also would processes to foster implementation of best practices that exceed minimum standards so federal agencies can more quickly achieve higher levels of security when necessary to address their own unique risks. Under the plan he outlined, NIST would create governmentwide standards to help agencies meet the security control policy set by DHS.

Each agency would be responsible to assess its risks and implement effective management controls, activities to configure and patch systems, build effective incident response capabilities, identify and detect unauthorized access, test security controls regularly, audit for compliance and implement security changes.

Charney said this plan has many challenges. NIST needs more funding for its Computer Security Division to continue its focus on standards. "With greater resources," he said, "NIST will make a more dramatic impact on the cybersecurity of the computing ecosystem."

The Microsoft executive noted that DHS has struggled without a strategic plan for cybersecurity, resulting in an unfocused approach to IT security that wasn't optimized for effectiveness. "The lack of a cohesive vision was exacerbated by constant changes in leadership, lack of personnel, and inadequate funding for its mission," he testified. "Moving forward, DHS should develop a strategic vision and look to build on its strengths in partnership, information sharing and growing security capabilities to function in the horizontal role."

Government-Private Sector Cybersecurity Partnership