Federal IT Agenda: 4 Top Priorities of 2009There's a Sea-Change in the Offing on Securing Government Systems
As Congress revs up to reform information security processes for the first time in seven years, and the Obama administration is weeks into a 60-day review of cybersecurity policy, IT leaders and managers charged with protecting the federal government's information systems are focusing on four overlapping facets of IT security:
The Security Climate
With increased spending federal expenditures on information security have soared by 63 percent in the past five years to $6.8 billion, according to the Office of Management and Budget government departments and agencies have made great strides in securing their IT systems and networks, or at least IT managers think so. Six of 10 federal IT managers surveyed by Cisco say their agencies' IT systems were more secure in 2008 than four years earlier; a mere 7 percent contended they were less safe.
Yet, a discomforting notion knots the stomachs of top government IT executives, practitioners, lawmakers and thought-leaders: Federal computer systems and networks are more threatened than ever, especially as those who would do us harm whether criminals or foreign governments become more sophisticated in their attacks. "It's happening every day; it's happening right now. They're coming after us," says Sen. Tom Carper, the Delaware Democrat who chairs a Senate subcommittee that provides oversight on federal information security.
The good news is that those in charge are very aware of the situation; the bad news, of course, is that the work to make government IT systems safer will be excruciating. "The government has grossly underestimated the threat for the past several years," says Paul Kurtz, the former counterterrorism director at the National Security Council and now chief operating officer at Good Harbor Consulting, a cybersecurity consultancy he co-founded with former cybersecurity czar Richard Clarke. "They're coming into tune, they finally understand the gravity of problem, but have a long way to go to put the solution set in place."
Agenda Item #1: Regulatory Reform
Indeed, achieving a fully secure federal information system is improbable, with hardware containing hundreds of thousands of integrated circuits, with operating systems consisting of tens of millions of lines of code and thousands of applications sitting atop of all that. IT is just too complex. Besides, the threats have become more sophisticated, with those targeting federal systems knowing exactly what they want, and the defenders trying if not to stop them to at least limit the damage these assaults can do. At best, current information security solutions tend to be stopgap measures.
"We're kind of in a penetrating patch mentality at this point, where new attacks are launched. We recognize the attacks, we create patches fixes to mitigate those deficiencies and then go onto the next attack tomorrow," says Ron Ross, a senior computer scientist at the National Institute for Standards and Technology's (NIST) Information Technology Laboratory. "You've got to come up with a better strategy for the long term, for building more secure systems, and that is going to start with a more disciplined and structured approach to how we build those systems, and how we actually employ and use the technology."
Prompted by new reforms, that disciplined and structured approach begins with integrating security into the enterprise architecture of an IT system from the get-go, and constantly improving security throughout its lifecycle, Ross says.
Congress is about to map out that approach as lawmakers write legislation to update the seven-year-old FISMA. Last year, FISMA reform made it only through the Senate Homeland Security and Governmental Affairs Committee. Carper, one of the measure's sponsors, will try again, and says the new bill will be introduced this spring and is optimistic the President will sign it within a year. Among its provisions will be specific metrics likely based on standards established by NIST to determine whether IT systems are secure, versus current rules that seem to emphasize whether IT managers checked off the right boxes on Office and Management and Budget compliance forms.
The legislation also will establish a Council of Chief Information Security Officers, in which CISOs from cabinet departments and major agencies can share best practices. The CISOs would continue to report to agency CIOs.
Efforts in Congress to reform FISMA overlap with broader endeavors by the Obama administration to enhance cybersecurity. While regulatory reform spells out the steps government agencies and departments must take to secure their systems, cybersecurity initiatives are more sweeping in scope, aimed at establishing policies and procedures at all levels of government to defend not only the government's systems and networks but the nation's critical infrastructure.
Agenda Item #2: Cybersecurity
"One of my greatest fears is at the nexus of cyber security and physical security," says Greg Garcia, who until late last year was assistant secretary for cybersecurity and communications at the Department of Homeland Security. "Many of our critical infrastructures electrical generations and distribution, water purification, chemical manufacturing are managed, controlled and monitored by digital control systems. When those digital control systems are connected to a network, which after a few twists and turns is connected to the Internet, there's the potential for a remote attack, altering (digital control systems') settings ... that can cause either physical damage or a threat to the safety of our population."
Such situations were on the mind of candidate Barack Obama during the campaign, when he compared cyber attacks to nuclear or biological warfare. Earlier this month, the president tapped senior Bush administration cybersecurity expert Melissa Hathaway to conduct a 60-day review of government proposals, projects and activities related to defending government data and systems. By mid-April, a clearer picture should emerge of the new administration's agenda on cybersecurity, including whether Obama will follow through on his campaign pledge name a White House cybersecurity czar.
Meanwhile, an evolution is taking place in government, born of the Sept. 11 attacks, that is reshaping how government thinks about information security. In the 1980s and 1990s, defense and national security agencies operated their IT systems in silos. "There was no premium on sharing; there was a premium on holding information," says Dan Chenok, a former OMB IT official who served on the Obama transition team and the think tank Center for Strategic and International Studies' commission that produced the Securing Cyberspace for the 44th Presidency report. Civilian agencies, however, were more likely to share information among themselves.
After the terrorists attack, the creation of the Department of Homeland Security from 22 national security-type agencies such as the Coast Guard and Secret Service and civilian agencies such as Federal Emergency Management Agency and the Animal and Plant Health Inspection Service resulted in a new approach to classify and secure data as once secret information needed to be shared with first responders and other federal, state and local agencies.
Now, not only at DHS, but elsewhere in government, security is beginning to be determined based on the type of data and applications needing protection, and not the agency running the system. For instance, a low-risk Defense Department website doesn't require the same amount of security as Internal Revenue Service systems housing detailed financial information about nearly every American family. "It's more a matter of the nature of the information and threats to the system than necessarily the agency that's implementing the system," Chenok says.
The Securing Cyberspace report suggests this new approach should be codified, perhaps in the updated FISMA legislation.
Agenda Item #3: Outsourcing IT Security
Contracting government work to the private sector is a government tradition, one that isn't expected to change with a new administration that isn't perceived as being as pro-business as the previous one. How much work is outsourced? Take, for instance, U.S. intelligence agencies. According to a government survey conducted last year, 27 percent of those working for 16 U.S. intelligence agencies came from private contractors. Of those contractors, 22 percent performed IT chores, including information security tasks.
Don't expect a decline in outsourcing IT security needs, even with the Democrats in control of the White House and Congress. The task of securing federal IT systems is just too big of a job, and the government must turn to the private sector for manpower and expertise. In fact, contract spending by the federal government will rise by a nearly 8 percent five-year compound annual rate to $9.6 billion by 2013, outpacing growth in overall federal IT spending because of the need to secure government information systems, according to the marketing and research firm Input.
What needs will the government seek from the private sector? No. 1, according to Input, are vendors and contractors that offer security operations products and services, such as managed security services, patch management and intrusion detection and response. The feds also seek private-sector help in complying with FISMA and HSPD-12, a White House homeland security directive aimed at creating universal identification standards to provide access to government computer networks and buildings, systems that have proved to be a challenge to implement.
And the private sector is gearing up to meet those needs by hiring top former government leaders to boost their government IT management and security practices. One firm, Deloitte Consulting, has added to its roster just retired U.S. Rep. Tom Davis, the Virginia Republican who chaired the House committee that had oversight over government information security. He joins retired Air Force Gen. Harry Raduege, who headed the Defense Information Systems Agency and co-chaired the panel that produced the Securing Cyberspace for the 44th Presidency report. Booz Allen is rehiring as a retired senior vice president retired Navy Vice Adm. Mike McConnell, who held the nation's top spy job, National Intelligence director, till last month.
Agenda Item #4: Web 2.0 and Cloud Computing
The acceptance of technologies such as blogs, social communities, wikis and videos got a boost on Jan. 20 with the swearing in of Barack Obama, whose campaign's use of these Web 2.0 tools is partially credited with his victory. Still, upon taking office, the new administration angered some staffers by banning the use of instant messaging in the White House. It's not just security or privacy that's a concern, but a federal law that requires White House documents to be made public five years after the President leaves office, including IM messages.
The push to adopt Web 2.0 technologies began during the Bush administration, and a scattering of departmental and agency heads used blogs to communicate with their employees and the public. Before he left office last month, Transportation Department CIO Dan Mintz launched a wiki to allow university researchers working with the department's Research and Innovation Technology Administration to share information with one another. "There was nothing about the stuff that was going to be put on that wiki that was sensitive; it was public information," Mintz says. "Most of what that government does is public information."
Yet, it's not always that simple. In some situations, agencies need to determine what information is sensitive or not because the classification of the data wasn't determined when IT systems were first architected. Classifying that information now can prove time consuming.
While most civilian agencies are slow in adopting Web 2.0 tools, that isn't the case with the intelligence community. For the past few years, 16 intelligence agencies have used a wiki known as Intellipedia, hidden behind a series of firewalls, to share information. Another Web 2.0 platform, sort of a Google for the intelligence community known as A-Space (for Analyst Space) is open only to those with top secret clearance. Run by the National Intelligence Directorate, A-Space has other security practices: for instance, not everyone has access to all components of A-Space, and to assure further security, A-Space observes users' traffic patterns, looking out for suspicious activities.
It's not just Web 2.0 tools being cautiously adopted. Within government IT circles, there is a debate on the safety of the wide use of cloud computing, which accesses applications and data over the Internet. "We're having a hard time to secure information without the cloud," Mintz says. Processes need to be first developed to determine which information is safe to be accessed over the Internet, he says.
Former NSC counter terrorism director Kurtz, however, doesn't see that as a problem, and believes the savings to taxpayers to be significant by using software as a service applications and storing non-sensitive data in the clouds. His only concern: what he calls a "disruption in the sky" an Internet outage that would make access to information problematic. Still, he says, it worth doing and calls for lawmakers to address cloud computing in the regulatory reform legislation.
No doubt, efforts by Congress and the executive branch to strengthen federal IT security will prove beneficial, but the tasks to protect and defense government data and systems will be never-ending. "There are really no secure systems," says NIST's Ross, who also serves as the institute's FISMA implementation project leader. "We can reduce our risk to a good degree, to a manageable degree, to a tolerable degree, but there is never a hope at this point of nailing everything down, all the time. Perfection is just unachievable at this point because the defense is always more difficult than the offense."