5 Fed Cybersecurity Priorities for the FallCyber Czar, FISMA Reform Top Agenda
1. White House Cybersecurity Adviser
Two matters must be addressed. First, whether Congress should establish by law a White House cybersecurity office that would manage federal-wide cybersecurity and the naming of a presidential White House cybersecurity coordinator that doesn't require Congressional action.
When Sen. Tom Carper, D.-Del., introduced the U.S. Information and Communications Act in April, it contained a provision to establish a National Office of Cyberspace in the White House, with its director confirmed by the Senate. Over the summer, however, the bill - S. 921 - was revised, and that provision was eliminated. The White House hasn't shown much enthusiasm for a Senate-confirmed cybersecurity director, and Carper earlier this year said he wants to craft legislation that gains widespread support from both Congressional chambers, as well as the Obama administration. Still, many lawmakers and cybersecurity policymakers in and out of government like the idea of a so-called cybersecurity czar, and just because U.S. ICE was revised once, doesn't mean it can't happen again.
Meanwhile, three months ago President Obama promised to name a cybersecurity coordinator, which would not require Senate confirmation and would not be as a high-level adviser as some had hoped. The coordinator would from time to time have direct access to the president, but would report to the national security adviser and national economic adviser. One reason the post remains vacant is the reluctance of potential coordinator candidates to report to two different bosses in the White House -- two officials who could have differing agendas. That the cybersecurity coordinator doesn't have more direct access to the president is another reason the job remains vacant. Where the coordinator is found on the White House organizational chart does matter to some potential candidates.
2. FISMA Reform
Most cybersecurity policymakers agree that the Federal Information Security Management Act, the 7-year-old law that governs federal IT security, is outdated and needs to be revised. The main thrust behind U.S. ICE - before the Senate Homeland Security and Governmental Affairs Committee - is aimed to do just that.
One significant departure from the past would be the way the government measures IT security. Under FISMA, agencies must show how they comply with the processes determined to secure IT systems. U.S. ICE would rely less on compliance, but more on developing ways to establish in real time whether systems and networks are truly secure, including vulnerability tests in which teams of so-called "red team" hackers assault government IT assets.
Among the most controversial provisions in the revised U.S. ICE bill is the shifting of much of the leadership on developing federal cybersecurity policy, at least for civilian agencies, to the Department of Homeland Security from the White House, including the responsibility of reviewing the IT security budgets of civilian agencies. Supporters of such a shift contend Homeland Security is the proper place, since it's the civilian department with the most cybersecurity expertise. But opponents argue that giving Homeland Security say over other federal departments and agencies is inappropriate, and could cause friction within the executive branch.
Another bill, the Cybersecurity Act of 2009, also would revise the way the federal government governs IT security. Known as S. 773 and sponsored by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine, the bill's most controversial provision - giving the president authority to limit or halt Internet traffic to and from federal IT systems and the mostly privately owned nation's critical IT infrastructure -- has reportedly been softened since its introduced this past spring.
Still, S. 773 - assigned to the Senate Commerce, Science and Transportation Committee, a panel chaired by Rockefeller - contains provisions not included in U.S. ICE, such as a requirement that IT security professionals working on government systems be licensed. Though laudable, some lawmakers and policymakers say there is not a sufficient number of certified cybersecurity professionals to fill all of the jobs.
Look for an amalgamated bill to surface that would include provisions from both measures, with other provisions falling by the wayside.
3. Naming a NIST Director
The National Institute of Standards and Technology (NIST) does a lot more than provide IT security governance for the federal government. But a plan to reorganize NIST's IT Laboratory, where much of that guidance originates, can't move forward until a NIST director is named.
NIST's top IT official contends that the reorganization, which would place the institute's chief cybersecurity adviser in the ITL office, would encourage more multidisciplinary collaboration with other NIST units in developing cybersecurity programs and guidance.
But the organization requires the blessing of the NIST director, a presidentially nominated post that has been vacant for over two years. The White House says the administration is actively seeking a NIST director, but when asked didn't explain why one has yet to be named or when the nomination would occur.
Congress is expected to begin writing a new law to update the 35-year-old federal Privacy Act that was enacted decades before anyone had ever envisioned the modern Internet, as well as much of today's information technology. The groundwork for this prospective legislation occurred this past spring.
Second, the Center for Democracy and Technology created a draft bill based, in part, on a wiki at its website eprivacyact.org, where cybersecurity professionals and others proposed language for a new privacy law.
CDT Vice President Ari Schwartz sees lawmakers drafting a bill this fall, but passage wouldn't likely come until next year at the earliest.
Meanwhile, the Office of Management and Budget is seeking to change a federal rule that bans the use of persistent cookies - small pieces of browser software that tracks and authenticates web viewing activities by users - which federal CIO Vivek Kundra says would enhance citizen participation in government. But some privacy experts express concern that changing the 9-year-old ban on cookies could pose privacy risks, a contention Kundra says would not occur. A final action is expected soon.
- Federal Chief Privacy Officer Urged
- Privacy Act Reform Likely Delayed Till 2010
5. Cloud Computing
Kundra is a big advocate of the federal government employing cloud computing - where applications and data are run and stored on servers access over the Internet - to drive efficiencies. He implemented the computing practice while head of the District of Columbia IT office.
Among the potential cloud computing benefits identified by a team of NIST computer scientists: dedicated security teams, greater infrastructure security, reduction in certification and accreditation activities, simplifying compliance analysis, low-cost disaster recovery and rapid reconstitution of services.
The information security challenges they identified included conflicts with existing data dispersal and international privacy laws, data ownership, service guarantees, securing virtual machines, massive outages and encryption needs.
Legislation before Congress would establish processes to develop and employ cloud computing securely. The NIST computer scientists are expected to issue shortly a special publication on cloud computing, though widespread adoption of cloud computing by federal agencies will be years off.