Cybersecurity Year in Review: 10 Top HappeningsNew President, New Tone on Securing Federal Digital Assets
Just weeks earlier, a tony panel of government and private-sector IT security experts known as the Commission on Cybersecurity for the 44th Presidency issued a report that provided the blueprint on how the new administration should address the nation's information security challenges.
2009 didn't disappoint, in many respects, as cybersecurity received unprecedented attention as a national priority. Still, the year provided more promise than triumph, but the foundation was laid for what could prove to be a very productive 2010.
What follows are the 10 most important cybersecurity happenings of 2009.
1: That Cybersecurity Vision Thing
It's called the 60-day review - that's how long a survey of federal cybersecurity policies and processes was to take, but rarely are schedules adhered to in government. Well over 100 days after Melissa Hathaway began the review, President Obama issued his Cyberspace Policy Review.
The policy review consists of 10 major themes, including coordinating cybersecurity in the White House, designating cybersecurity a key management priority for federal agencies, appointing a privacy and civil liberties official, initiating public infosec awareness campaigns, strengthening international cybersecurity partnerships and backing research and development to find game-changing technology to secure digital assets.
Though cautious, Obama said the right things in his May 29 White House address: "Protecting this infrastructure will be a national security priority ... Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years."
2: Czar Wars
Two major predicaments surround the so-called cybersecurity "czar" - three, if you count the word czar as a problem.
At the heart of President Obama's cybersecurity policy is the creation of a position the chief executive calls a cybersecurity coordinator, a senior White House adviser who would report through the National Security Council.
Problem No. 1: The waiting game. Despite harking by some of his most loyal backers, President Obama took his time - nearly seven months - to name a cybersecurity adviser: Howard Schmidt, a former infosec adviser to the Bush White House and chief information security officer at Microsoft and eBay. Why so long? The president never gave a reason, but several prospective candidates reportedly turned the jobs down because it wasn't a senior enough position and the administration was distracted by healthcare, the economy and the wars.
Problem No. 2: Though the president promises he would meet periodically with the cybersecurity coordinator, others including some influential lawmakers feel the job should be higher up in the chain, such as a special assistant. The Commission on Cybersecurity for the 44th Presidency and some legislation floating around the Capitol would create an Office of Cyberspace in the White House.
Problem No. 3: Some lawmakers such as Sens. Joseph Lieberman and Susan Collins, the chairman and ranking member of the Senate panel with cybersecurity oversight, believe the cybersecurity post should require Senate confirmation because of the importance of the position. Otherwise, they contend, it's just another "czar" without any requirement to inform Congress on a critical national matter.
3: Legislation 'R' Us
Even before he introduced in April the U.S. Information and Communications Enforcement Act, legislation aimed to update the Federal Information Security Management Act of 2002, Sen. Tom Carper predicted that President Obama would sign the bill on his 63rd birthday, Jan. 23. U.S. ICE, as the bill is known, was one of the more visible pieces of legislation introduced in 2009.
Sens. Jay Rockefeller and Olympia Snowe stirred emotions among some when they introduced Cybersecurity Act of 2009, which included a provision that would allow the president to declare a cybersecurity emergency and shutdown Internet traffic to and from government IT systems and the nation's critical IT infrastructure.
The year ended with no action being taken on either bills. But Sen. Joseph Lieberman is working with his colleagues to create what could be an omnibus cybersecurity bill that could incorporate provisions of both bills. Lieberman, chair of the Senate Homeland Security and Governmental Affairs Committee, says his bill would codify the White House cybersecurity adviser and require Senate confirmation.
In November, the House Science and Technology Committee approved the Cybersecurity Enhancement Act, a nuts-and-bolts IT security bill that would require the president to assess the government's cybersecurity workforce, including an agency-by-agency skills assessment, and provide scholarship to students who agree to work as cybersecurity specialists for the government after graduation.
4: Summer Breaches
Starting over the Independence Day weekend and continuing for about a week, hackers targeted government and business websites in the United States and South Korea, causing varying degrees of disruption of service. Among federal government websites reportedly assaulted: the White House, National Security Agency, Departments of Defense, Homeland Security, State and Transportation and Treasury; Federal Trade Commission and the Secret Service. Tom Kellerman, who chaired the threats working group of the Commission on Cybersecurity for the 44th Presidency, characterized the attack as "a fact of life now because of Web 2.0, and that's the real worrisome phenomenon here."
A month later, hackers defaced the homepages of a dozen House members.
In June, Deputy Defense Secretary William Lynn III revealed that more than 100 foreign intelligence organizations are trying to hack into U.S. information networks, the No. 2 Defense Department official said Monday. "This is not some future threat. The cyber threat is here today; it is here now," Lynn said.
How pervasive are attacks on government systems? The Government Accountability Office in October said NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008.
5: CAG: A No Brainer
It's common sense: the proper use of controls have a positive influence on securing IT assets. A public-private consortium in February determined the greatest threats to IT systems and developed 20 Consensus Audit Guidelines, or CAG, that federal agencies and others should implement to protect those systems
For each of the controls, the experts identified specific attacks that the control stop or mitigate, best practices in automating the control and tests that can determine whether each control is effectively implemented.
"It is a no brainer; if you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks," said John Gilligan, the former Air Force and Energy CIO who leads the continuing CAG initiative.
As 2009 was drawing to a close, Gillian said the consortium was readying a new report to link specific automated tools the critical security controls that could be automated.
6: IT Celebrity Cult
What separates 2009 from other years when it comes to government IT and cybersecurity is the cult of personality of those placed in charge.
Perception, of course, plays an important part, and President Obama facilitated that process by relabeling the title of the Office of Management and Budget IT leader as Federal Chief Information Office. Vivek Kundra technically was named OMB's administrator for e-government and IT, a post previously held by Mark Forman and Karen Evans, who often were referred to as the government's "de facto" CIO.
Scandal, too, helps create the aura of celebrity. Just days after being named federal CIO in March, the administration briefly suspended Kundra from his job after news broke of fraud charges being brought against an official in Washington, D.C.'s Office of Chief Technology Officer, the office Kundra headed when tapped by Obama. Kundra was quickly cleared of any wrongdoing, and resumed his new job after a weekend-long leave, though the investigation uncovered a shoplifting charge 13 years earlier.
Melissa Hathaway, who led President Obama's 60-day cyberspace policy review, developed an aura of celebrity caused, in part, by the mystery surrounding the process. At least among some following the policy review, her public absence created the aura of a rock star in hiding.
7: The Departed
How important they were in the overall picture of securing government IT assets is open to debate, but the fact that several highly visible cybersecurity leaders left government service this past year drew considerable attention.
The first, and most contentious, was Rod Beckstrom's resignation in March as director of the Department of Homeland Security's National Cybersecurity Center. Beckstrom, somewhat of a celebrity when he took the job a year earlier, said he quit because of a lack of appropriate infosec funding and the growing cybersecurity role of the National Security Agency.
Melissa Hathaway's departure in early August as the top White House cybersecurity adviser received the most attention - indeed, it was among GovInfoSecurity.com's most accessed stories of the year. The woman who led the president's 60-day cybersecurity policy review wasn't picked to be the White House cybersecurity coordinator, despite strong support from many in the government infosec and security community, and she left the government to join a Harvard Kennedy School policy center.
Mischel Kwon's August resignation as director of the U.S. Computer Emergency Response Team, or U.S.-CERT, was interpreted by some as a symptom of the administration's lack of focus on information security because of the failure of President Obama to name a cybersecurity coordinator. Kwon, in an interview, disputed that notion: "We all left for different reasons. ... We are all three different individuals who left for different, personal reasons. I don't think group all three of us together is accurate at all."
8: Transformational Guidance
The superlatives flowed in November when the National Institute of Standards and Technology issued a draft revision to its Special Publication 800-53 - words like "transformational" and phrases like "historic in nature." Was it hyperbole? Not quite.
"The important changes described (in the publication) are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the nation," Ron Ross, NIST's Federal Information Security Management Act implementation project leader, said in reference to the report, Recommended Security Controls for Federal Information Systems and Organizations.
Past NIST guidance focused mostly on steps IT security pros should take to safeguard information assets, processes that didn't involve the continual monitoring of a systems' security.
NIST always has provided guidance for new technologies and processes, but the opportunities and problems manifested by nascent technologies present daunting new challenges for the agency. Take, for instance, secure cloud computing; NIST computer scientists have spent the better part of the year trying to figure how federal agencies can safely implement the ability to access data and systems over the Internet cloud, and as the year was drawing to a close, the first draft of that guidance was pending despite hopes that it would have been released months ago.
9: Help Wanted
The job market looks bleak almost everywhere, except for the federal government, at least when it concerns cybersecurity.
Indeed, on Oct. 1, Homeland Security Secretary kicked off the first day of National Cybersecurity Awareness Month by announcing DHS's new authority to hire up to 1,000 cybersecurity professionals over the next three years. It's not just DHS, it seems nearly every agency is hanging help wanted signs in their windows seeking IT security pros.
At NASA, Deputy CIO Jerry Davis characterized the cybersecurity work the space agency faces as being voluminous. "There is just not enough folks to handle that," he said.
The dearth of qualified infosec pros has agencies looking to students to help fill their roster of positions. In November, the Defense Information Systems Agency held a job fair for cybersecurity students in Maryland. "We have open positions for everybody looking for a challenging career in cybersecurity," said DISA technical director Doug Gardner.
Impeding the situation are two factors. First, the lack of PhDs to teach information security at the nation's colleges. Simply, you first need to develop the experts to teach the experts. "Building the doctoral ranks takes time," Georgia Tech professor Seymour Goodman told Congress in June. At that hearing, Cornell University professor Fred Schneider said that most university computer science programs lack the faculty to offer relevant cybersecurity courses. "Even if a CS department has managed to hire a few cybersecurity specialists, they will likely also be involved in teaching the large complement of other classes that need to be covered by a department giving undergraduate and graduate CS degrees," he said.
A second factor hampering the recruitment of cybersecurity pros for federal service, according to a study issued in July by the not-for-profit Partnership for Public Service, is a disconnect that exists between federal government CIOs, CISOs and IT hiring managers and the human resources professionals charged with finding qualified candidates with cybersecurity skills. "The human capital management process is broken; operations and HR people should be joined at the hip and collaborate across the government," says Norman Lorentz, former chief technology officer at the White House Office of Management and Budget.
Meanwhile, legislation before Congress would require cybersecurity professionals be certified, an idea that former Interior CIO Hord Tipton thinks is a good idea - he heads (ISC)2 , which certifies infosec professionals - but concedes that might not be practical now because of a scarcity of certified IT pros. "It's a problem," Tipton said, adding that in a few years the problem could be resolved. "It's a doable thing. It couldn't be done overnight."
10: Retooling NIST
It wasn't a bold announcement, more like a trial balloon, but one that within months was deflated. In a letter written in late August, NIST's Information Technology Laboratory director Cita Furlani revealed a proposal to reorganize the lab to enhance research on cybersecurity at the National Institute of Standards and Technology.
Under Furlani's plan, the director of the lab's Computer Security Division would have been elevated to a position within the IT Lab director's office, serving as ITL's cybersecurity adviser. "If we had the chief cybersecurity adviser positioned in the lab headquarters, which is one of the proposals, there will be a strengthening and a multi-collaborations across the laboratory," Furlani said in an interview.
But Furlani announced before the House Technology and Innovation Subcommittee in October she was suspending the reorganization plan because of objections raised by some NIST stakeholders. One of those stakeholders, Sun Microsystems Distinguished Engineer Susan Landau told the same panel that the reorganization could hamper the Computer Security Division's brand. "While spreading security across an IT support organization might be useful, the same is not true for an organization doing research," she said. "Dividing different groups supporting CSD's mission will be detrimental to the work CSD does. Ultimately, the effect will be to weaken CSD's impact on federal civilian security."
And weeks later, in an interview, subcommittee Chairman Rep. David Wu said he supports the creation of a Computer Security Laboratory, saying: "It's a very important field that deserves a profile and the increase in access of both to senior management and to resources.
Despite the setback, Furlani wasn't left hanging by her new boss, NIST Director Patrick Gallagher, who the Senate confirmed Nov. 5. "Every manager should be striving to make sure their organization is as effective as possible," Gallagher said in the interview. "What Cita was doing was looking at one of the major tools that a manager has, which is your organizational structure optimized for being as effective as possible. It was a very thoughtful proposal. The reality is that many of the cybersecurity activities already spread across various divisions within ITL, and this was the chance to try to create some synergies to make the organization more effective."
In fact, Gallagher has asked his top managers to reassess NIST's organizational structure - a move that could lead to its first reorganization in nearly two decades. All options are in play, including the possibility of merging some of its 10 laboratories, the major units within NIST.
"The real objective is what's the organizational structure that makes NIST most effective in the face of some very real challenges and needs," Gallagher said. "I think the country really needs NIST to be responsive, and to be capable and to work effectively with its stakeholder communities. There are a lot of ways doing that, and one of those tools is management structure."