TRENDING:

The Expert's View with Karen Evans

Don't Waste Time Waiting for Cyber Czar

Karen EvansJuly 15, 2009    

It appears, at times, as if Washington's cybersecurity community is on hold, awaiting word from President Obama on who will be his cybersecurity adviser. Everyone seems caught up on how much authority the White House cybersecurity coordinator will have. Who cares?

If agency CIOs, CISOs and others responsible for securing government IT are awaiting the appointment of the cybersecurity coordinator to get their marching orders, they're wasting time. In reality, what will happen in the White House in the coming weeks will have little or no bearing on what agency security managers must do now to perform their jobs.

That's because the cybersecurity coordinator - along with federal CIO Vivek Kundra and CTO Aneesh Chopra, all based in the White House -- will focus on cybersecurity policy but it will remain with the agencies to provide the operational muscle to safeguard the government's information assets. Besides, we know the general direction White House policy will head; the president outlined this in his May 29 speech following the 60-day review conducted by National Security Council aide Melissa Hathaway.

And, what that policy will - or should - include is the leveraging of resources to make managing and securing government IT more efficient. We'll see civilian agencies mimicking the Defense Department in how to tackle cybersecurity. Defense has at its IT security nexus in DISA, the Defense Information Security Agency, which provides for the military branches centralized operational management of IT, including information security. Civilian agencies should replicate this model, employing existing efforts from the General Services Administration and the Department of Homeland Security. Simply, more than 100 departments and agencies would work as a single IT enterprise, just as the military branches do through DISA.

That doesn't mean agencies would forfeit total control over IT management and security, just as the military branches retain control over their information assets. It's just an extension of shared services initiatives begun under the E-Government Act.

An example of this collaboration is the Trusted Internet Connection, known as TIC. In 2007 and 2008, when I headed e-government and IT in the White House Office of Management and Budget, we initiated TIC to reduce the number of Internet connections to fewer than 100 from the tens of thousands. In light of the recent cyber attacks, not only would fewer Internet connections be more easily managed, but sharply reducing the number of such entry points would make it easier to identity external threats to government information systems. White House policy on this matter has been decided, so there's no need to wait for a cybersecurity coordinator; its incumbent for agency IT management and security officials to continue their work on TIC that will create an environment trust within government.

Programs such as TIC would especially benefit smaller entities such as the Marine Mammal Commission, giving it the same level of cyber defense as larger agencies. As with its larger counterparts, the commission would pick from a number of GSA pre-certified Internet service providers who work with DHS to identify malicious signatures and other cyber warnings on traffic flowing to and from government servers.

Similar collaborations among agencies with GSA and DHS would work well as the government looks to employ cloud computing. GSA could offer consolidation of data center as a cloud offering, something the agency is exploring. DHS, in turn, would monitor and analyze traffic to seek out and quash any vulnerabilities.

Sure, managers in the departmental and agency trenches working to secure IT should be concerned about the cybersecurity polices emanating from the White House, but for now, their attention must be focused on what they've been hired to do. They already have their marching orders.

Karen Evans, as administrator of e-government and information technology in the White House Office of Management and Budget and director of the Federal CIO Council from 2003 to 2009, served as the highest ranking IT executive in the federal government. During her 27-year government career, Evans held numerous IT managerial positions, including CIO of the Department of Energy. She is a partner at KE&T Partners LLC.



About the Author

Karen Evans

Karen Evans

National Director, U.S. Cyber Challenge, and Partner, KE&T Partners

As head of the Cyber Challenge, Evans oversees an organization focused on searching for talent to strengthen the cybersecurity workforce in and out of government. Evans previously served as the federal government's de facto chief information officer - officially, administrator for information technology and e-government in the White House Office of Management and Budget - overseeing $70 billion-plus in federal government spending on IT. Earlier, she served as chief information officer at the Department of Energy.




Around the Network

Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.