Blame the Editor for Kundra's Fuzziness
Please excuse the fuzzy photo below of Federal CIO Vivek Kundra, sitting at a table in his office with a picture behind him of President Obama working at a computer in his private White House digs.
My apologies to the chief information officer; the camera was new and I couldn't get the flash to work. Heck, I'm a writer, not a photographer, and I didn't want to waste a few more moments to figure out how the camera worked because I had limited time to conduct an interview.
Kundra's office - on the fourth floor of the nearly 140-year-old Eisenhower Executive Office Building, just west of the West Wing of the White House - faces south. Look out the window, and stretch your neck, and you'll see the Washington Monument. Without twisting any body parts, you can make out the Jefferson Memorial just over a mile away.
But enough description; let's get to what Kundra had to say. I covered two topics Kundra addressed - forthcoming Office of Management and Budget guidance on FISMA and secure cloud computing - in an article and blog posted earlier. We also discussed two subjects: approaching cybersecurity as insurance and whether the Obama administration favors legislation to reform the Federal Information Security Management Act.
Kundra says he is working with White House Cybersecurity Coordinator Howard Schmidt and Federal Chief Technology Office on cybersecurity insurance. Cybersecurity insurance? It's a metaphor, he says, for assessing risk.
"If we think about the analog here in our own personal lives, when you look at homeowners insurance or when you look at car insurance, people make economic decisions based on some of the insurance models, right? Whether you are actually going to make sure you look at whether it is a property near a fire hydrant or not, how far it is from the fire station, all these economic decisions are having an impact. So we are exploring, is there a role as we think about cybersecurity insurance and behavioral economics in the context of cybersecurity within the federal government. "
Historically, Kundra says, agencies' cybersecurity assessments have been a "blunt instrument" that don't reveal much about how agencies secure IT.
"This agency is not doing well, this agency is doing well, but what does well mean, right? In the insurance world, they spend a lot of time and energy and they have got actuarial data that say if you are "X" feet away from a fire hydrant, you are more secure. So I am trying to use that analog in the federal government. That is where we are looking at some of these opportunities and figuring out how could we apply that thinking to cybersecurity within the U.S. government. So how would a CIO build a system in the same way that the insurance companies look at risk that is actionable? It is real and it is specific rather than this abstract notion of 100 percent security.
There's widespread agreement in most quarters of the federal government that agencies must move to continuous monitoring of IT systems as a way to verify information security, and away from the paper process that documents whether they merely comply with regulations required under FISMA. OMB is expected to soon issue guidance to require agencies to conduct continuous monitoring. But will an act of Congress still be required to eliminate the current paper-driven compliance process? Kundra replied, but not directly:
"In terms of federal law, we are working closely with Congress given the legislation that has been introduced both in the House and in the Senate, and we are coordinating with Congress as far as what we need to do when it comes to the legislative approach as far as cybersecurity is concerned. So I can't comment obviously beyond that."
I sought a yes or no response from Kundra on whether he believes Congress needs to pass FISMA reform legislation to accomplish all that he wants.
"Well, not in the context of what I am talking about in terms of the real-time metrics that we need to focus on. The problem you are running into is if an agency has not implemented just a simple system that allows you to get all of the traps, all the logs, the ability to analyze all of that information, and you don't necessarily need statute, that is a best practice. That is what I mean, that is like 101 stuff where we need to get agencies focused on that to make sure that they are implementing across the enterprise systems that are going to monitor their security posture in a real-time basis."
"Correct me if I am wrong," I asked, "but I thought that FISMA required a certain kind of paperwork compliance, and if that is the case, if you want to get away from that, won't you still have that there (without a new law)?"
"And that is what I mean; that is why we are going to be working closely with Congress."
"So there would be some need for some kind of congressional action?" I asked. He replied:
"So we will work with Congress on that issue."
Should I take that as a yes? Again, my apologies for the fuzziness.