Don't Waste Time Waiting for Cyber Czar
It appears, at times, as if Washington's cybersecurity community is on hold, awaiting word from President Obama on who will be his cybersecurity adviser. Everyone seems caught up on how much authority the White House cybersecurity coordinator will have. Who cares?
If agency CIOs, CISOs and others responsible for securing government IT are awaiting the appointment of the cybersecurity coordinator to get their marching orders, they're wasting time. In reality, what will happen in the White House in the coming weeks will have little or no bearing on what agency security managers must do now to perform their jobs.
If agency CIOs and CISOs are awaiting the appointment of the cybersecurity coordinator to get their marching orders, they're wasting time.
That's because the cybersecurity coordinator - along with federal CIO Vivek Kundra and CTO Aneesh Chopra, all based in the White House -- will focus on cybersecurity policy but it will remain with the agencies to provide the operational muscle to safeguard the government's information assets. Besides, we know the general direction White House policy will head; the president outlined this in his May 29 speech following the 60-day review conducted by National Security Council aide Melissa Hathaway.
And, what that policy will - or should - include is the leveraging of resources to make managing and securing government IT more efficient. We'll see civilian agencies mimicking the Defense Department in how to tackle cybersecurity. Defense has at its IT security nexus in DISA, the Defense Information Security Agency, which provides for the military branches centralized operational management of IT, including information security. Civilian agencies should replicate this model, employing existing efforts from the General Services Administration and the Department of Homeland Security. Simply, more than 100 departments and agencies would work as a single IT enterprise, just as the military branches do through DISA.
That doesn't mean agencies would forfeit total control over IT management and security, just as the military branches retain control over their information assets. It's just an extension of shared services initiatives begun under the E-Government Act.
An example of this collaboration is the Trusted Internet Connection, known as TIC. In 2007 and 2008, when I headed e-government and IT in the White House Office of Management and Budget, we initiated TIC to reduce the number of Internet connections to fewer than 100 from the tens of thousands. In light of the recent cyber attacks, not only would fewer Internet connections be more easily managed, but sharply reducing the number of such entry points would make it easier to identity external threats to government information systems. White House policy on this matter has been decided, so there's no need to wait for a cybersecurity coordinator; its incumbent for agency IT management and security officials to continue their work on TIC that will create an environment trust within government.
Programs such as TIC would especially benefit smaller entities such as the Marine Mammal Commission, giving it the same level of cyber defense as larger agencies. As with its larger counterparts, the commission would pick from a number of GSA pre-certified Internet service providers who work with DHS to identify malicious signatures and other cyber warnings on traffic flowing to and from government servers.
Similar collaborations among agencies with GSA and DHS would work well as the government looks to employ cloud computing. GSA could offer consolidation of data center as a cloud offering, something the agency is exploring. DHS, in turn, would monitor and analyze traffic to seek out and quash any vulnerabilities.
Sure, managers in the departmental and agency trenches working to secure IT should be concerned about the cybersecurity polices emanating from the White House, but for now, their attention must be focused on what they've been hired to do. They already have their marching orders.
Karen Evans, as administrator of e-government and information technology in the White House Office of Management and Budget and director of the Federal CIO Council from 2003 to 2009, served as the highest ranking IT executive in the federal government. During her 27-year government career, Evans held numerous IT managerial positions, including CIO of the Department of Energy. She is a partner at KE&T Partners LLC.