7 Key Elements for Fed Cybersecurity
No Cyber Czar; Harmonize Federal, Commercial Standards"Government policy that attempts to force top-down solutions onto an inherently peer-to-peer problem will always fail, as has been demonstrated by U.S. government cybersecurity initiatives during the last 15 years," the report's author and Gartner Vice President John Pescatore said in a statement accompanying the release of the report.
In the report, Gartner says the federal government has a major role to play in stimulating progress toward higher level of cybersecurity. Gartner analysts find that reducing vulnerabilities is the high-leverage area for strengthening information security; an operations-centric approach is needed, not another czar; and many agencies can be used as best-practice examples of enforcing current regulations.
Here are the advisory firm's seven recommendations on how best the federal government should shape its cybersecurity strategy:
- Stop Studying and Start Acting - There have been plenty of existing efforts to define and measure the shortcomings of cybersecurity, so there is no need to reinvent the wheel.
- Harmonize Federal Security Standards with Commercial Equivalents - Although there will always be a need for higher levels of security than commercial standards allow, harmonizing the base level will eliminate duplication and waste and enable the government to drive suppliers to higher levels of security more easily. Similar harmonization at the federal level of data privacy and disclosure rules is needed, as well.
- Use Purchasing Power to Drive Security to be Built-In - Because the key to increasing cybersecurity lies in reducing vulnerabilities, all government software procurements should require application vulnerability testing as part of the acceptance criteria.
- Evaluate Existing Regulations and Rejuvenate Enforcement - There are areas where federal legislation is needed to harmonize conflicting state laws, but the biggest bang for the federal buck will be in the actual enforcement of existing rules and regulations.
- Keep Offense and Defense Separate - The primary goal of a cybersecurity strategy must be to make attacks ineffective through prevention rather than detect successful attacks by enabling surveillance. Combining the two functions will inevitably result in lower levels of security and possibly increased privacy violations.
- Reward Best Practices - Most of the publicity tends to go toward the government agencies with low Federal Information Security Management Act scores in annual audits, and currently there seems to be little or no effort to spread best practices across agencies.
- Establish a Federal Chief Information Security Office, Not a Cybersecurity Czar - The bottom line is that increasing the national cybersecurity is an operations issue. The problems are well-understood, solutions are known, and gaps have been identified. Organizations with high security in private industry and government almost invariably have a strong security office and a chief information security officer, and that should be the model that the U.S. government follows.
Check out these related stories: 9 Ways to Approach Cybersecurity, 8 Duties of an Agency CISO, 5 Intriguing Cyber Facts From Obama's Budget.