10 Happenings Shaping Gov IT Security in 2010

Actions and Inactions Defined Cybersecurity During the Past Year Eric Chabrow (GovInfoSecurity) • December 29, 2010

Government IT security in 2010 didn't always progress the way many had expected. Lawmakers busily held hearings and drafted legislation to get a better handle on how best to secure the government's and the nation's critical IT infrastructure. In the end, what did we get?

Cybersecurity is complex, and governments from Capitol Hill to the state capitals took steps to try to get it right. It wasn't always easy.

Here's GovInfoSecurity.com's take on the 10 happenings in 2010 that shaped government IT security. Each entry is followed by samples of our content that provide more insight.

1. The Do-Nothing Congress

A much-repeated assertion heard throughout the year was that cybersecurity reform isn't partisan, yet it fell victim to congressional - or at least senatorial - politics in 2010. The House approved several bills that would have significantly changed the way the government governs IT security, including the establishment of a Senate-confirmed, White House cybersecurity director, but such legislation never came up for a vote in the Senate.

Lots of talk, but not the walk, as government cybersecurity expert Jim Lewis prognosticated early in 2010: "What you're going to see are some very good bills introduced and long series of debates leading up to the end of the year."

2. A Cybersecurity Coordinator, Finally

Who would be the "cyberczar?" That was the big question for more than half of 2009. At year's end, Obama tapped longtime cybersecurity whiz Howard Schmidt as White House cybersecurity coordinator, an appointment widely praised. Indeed, 10,000-plus attendees at the RSA conference in March greeted Schmidt like a rock star as he revealed the declassification of parts of the Comprehensive National Cybersecurity Initiative. Schmidt isn't a recluse, he speaks at conferences and grants occasional interviews, but works mostly behind the scenes. During his tenure, he unveiled a national online identity plan and an agreement with the banking industry to speed commercialization of cybersecurity innovation.

Schmidt is a pragmatic optimist. "There's a real threat out there," he told an interviewer, "but the threat sort of follows the way we build our defenses against it, and I think those things continue to move in parallel."

3. Budget Crunch

Federal spending on cybersecurity is increasing; one study puts annual IT security spending rising by 9 percent over the next five years. But that's not the case for financially strapped municipalities and states. Nine of 10 states surveyed by the National Association of State CIOs shows that lack of funding is the biggest barrier to securing their states' IT systems. About 80 percent report their states' IT security budgets have been cut or remained the same from the previous year, "creating an environment that is even harder to secure," Utah CIO Steve Fletcher said.

Short on cash, local and state CISOs have become creative. Here's how Nevada CISO Chris Ipsen put it: "We need to look at how we can partner with our other governmental entities (local, county governments) to communicate effectively with them, to define what roles each entity should have and to leverage the best of breed solutions from any of those entities for the maximum benefit of the citizens."

4. Continuous Monitoring

Though a new law requires defense agencies to employ continuous monitoring of IT systems, similar requirements on civilian agencies failed to be enacted. Still, a White House memo issued in April instructed federal departments and agencies to use a new, online interactive collection tool called CyberScope to file their Federal Information Security Management Act reports, a big step toward continuous monitoring.

The National Institute of Standards and Technology in December issued its draft of Special Publication 800-137 that details how federal agencies can implement continuous monitoring. In June, NIST issued its revision of SP 800-53 - the so-called CISO bible - that addresses security controls that can be automated. Still, NIST cautioned that continuous monitoring alone won't safeguard government IT systems.

5. WikiLeaks and the Insider Threat

Much of the talk about cybersecurity in government centered on threats from outsiders - the Chinese and Russians or cyberterrorist - but the leak of sensitive U.S. government documents published by WikiLeaks showed that the insider threat can be as worrisome. "You're always worried about insider threats in terms of either espionage or compromising capabilities, and cyber is no different," Deputy Defense Secretary William Lynn III said.

WikiLeaks posted 75,000 internal military logs in June; five months later, it published 250,000 diplomatic cables. An Army private with access to classified data on military servers is being blamed for the leaks. With some 854,000 people holding top-secret security clearances, such an insider threat wasn't surprising. And, one IT security survey blamed insiders with nearly half of the breaches, up 26 percentage points in one year.

6. Transition to Cloud Computing

2010 is a transition year for cloud computing in government. A White House plan unveiled in December emphasized government use of secure cloud computing, and tasked the National Institute of Standards and Technologies to develop new standards to assure its safety. The General Services Administration in December became the first federal agencies to move e-mail to a cloud-based system.

Last spring, the government introduced FedRAMP - Federal Risk and Authorization Management Program - that would let agencies to piggyback on vetting cloud computing providers, a move seen as speeding cloud computing adoption.

Meanwhile, agencies such as NASA's Jet Propulsion Laboratory prototyped cloud services to identify where security gaps exist. And states have developed frameworks to assure safe cloud computing that include data ownership, security compliance, location of data and service-level agreements. "What we are trying to do is to set the framework, which means that these cloud solution providers meet our requirements, not the other way around," said then-Michigan CISO Ken Theis.

7. Defense Cyber Standup

The cyber military command stood up this spring, headed by the National Security Agency director - Army Gen. Keith Alexander, signifying that cyber is as vital to the military as land, sea, air and space. "Cyberspace is manmade but is equally important," Deputy Defense Secretary William Lynn III said. In August, Lynn unveiled what he characterizes as five pillars of cybersecurity strategy aimed at strengthening the defense of military IT systems and networks.

In October, the Defense and Homeland Security departments established a joint approach to defend America's government, military and domestic IT infrastructure. The framework agreed to by DHS Secretary Janet Napolitano and Defense Secretary Robert Gates embeds within DHS a DoD cyber analyst to better support the National Cybersecurity and Communications Integration Center and DHS Deputy Assistant Secretary for Cybersecurity and Communications, Navy Rear Adm. Michael Brown, will work fulltime at the National Security Agency, DoD's electronic spy agency, along with a support team comprised of DHS privacy, civil liberties and legal personnel.

8. Federal Cyber Initiatives Stumble

The Obama administration sought $3.6 billion this year to fund major projects under the Comprehensive National Cybersecurity Initiative, including the Einstein intrusion detection and prevention initiatives and the Trusted Internet Connection program aimed at reducing the number of government Internet connections. Those programs, along with the Federal Desktop Core Configuration, or FDCC, project, came under scrutiny from government auditors in 2010.

A Department of Homeland Security inspector general report in June pointed out that the information sharing Einstein is to promote had been hampered by insufficient state-of-the-art technical and analytical tools and technologies to identify, detect, analyze and respond to cyber attacks.

The Government Accountability Office, in an April audit, said federal adoption of TIC had been meager by the end of fiscal 2009, though Matt Coose, director of federal network security at the Department of Homeland Security's National Cybersecurity Division, said most federal agencies should have implemented TIC by year's end.

As to FDCC, which requires baseline security controls for all federal Windows computers, GAO in another April audit said no agency had fully implemented all configuration settings, meaning the effectiveness of the initiative is limited.

9. DHS's Growing Influence

While lawmakers sponsored legislation to create a White House office to oversee federal government cybersecurity efforts - none of those bills ever came close to being enacted - the Department of Homeland Security, with the backing of the Obama administration, gained more sway over determining federal cybersecurity policy, at least among civilian agencies.

In July, Office of Management and Budget Director Peter Orszag and Cybersecurity Coordinator Howard Schmidt issued a memorandum granting DHS primary responsibility for the operations of federal agency cybersecurity. The memo signified what already was in practice. National security and presidential homeland security directives have given much cybersecurity authority to DHS, including critical infrastructure protection, operation of the United States Computer Emergency Readiness Team and oversight of the implementation of the Trusted Internet Connection and Einstein intrusion detection and prevention initiatives.

Before Congress, administration cybersecurity policy is mostly presented and defended by senior DHS officials such as Deputy Undersecretary Philip Reitinger. And, in a year-end speech, DHS Secretary Janet Napolitano characterized protection of cyberspace as the department's most important mission after counterterrorism.

10. Staffing Up

At one point in her speech at the RSA security conference in March, Homeland Security Secretary Janet Napolitano scanned the audience of thousands of IT security experts as if she were searching for the right person to hire. Perhaps she was. "We may try to recruit some of you or your talent right now," Napolitano said. "We need the best brains to bring to bear on meeting the challenge."

By one estimate, the government needs some 30,000 IT security pros to secure its systems and networks, so building a qualified, cybersecurity workforce grew as a government priority in 2010.

One of the more visible initiatives in 2010 was the U.S. Cyber Challenge, a nationwide talent search that features a series of contests primarily aimed at college-age students, with the aim of encouraging