Governance & Risk Management

Cooperate, Not Regulate, on Cybersecurity

Finding highly qualified IT security specialist is always a challenge, whether the employer is the government or a business. It's a challenge Stanton Sloane knows well, as the chief executive officer of SRA International, one of the largest providers of IT and cybersecurity services to the federal government, has a distaste for regulation.

"There is always the issue of enough experts, enough people to throw at the problems," Sloane says in an interview with GovInfoSecurity.com (transcript below). "We are stretched a little bit in terms of trying to staff all of these programs we have. I would argue that cybersecurity is not solely a technical problem. It is equal parts, technical, business process and policy."

In the interview, Sloane also discusses the:

Potential of the federal government regulating the IT sector, and the problems he feels that could raise.

Importance of a White House cybersecurity coordinator to get agencies as well as the private sector and foreign governments to collaborate on cybersecurity, regardless to whom the so-called "czar" reports to.

Relationship between business and government in confronting global IT security danger.

Sloane spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

ERIC CHABROW: What is the major cybersecurity challenges facing the federal government?

STANTON SLOANE: There are a couple of them. First of all, of course, protecting government networks, government information, commanding control systems, those kind of things to avoid penetration and necessary actions. Second, I would say, has to do with infrastructure. Of course, a lot of the infrastructure in the country is in private hands so that is something that requires collaboration with federal government in order to be affective. But clearly, penetration of electrical grids, those kinds of things of which we've seen a lot lately, are also important. The third one is intellectual property. Today, a lot of intellectual property is being stolen, frankly is leading the country, and I think that is a huge strategic issue for the country.

CHABROW: What would be the responsibility of the federal government in this?

SLOANE: First of all, the government should be an information source for people to make them aware of where there are problems and also provide information on how best to deal with it. Clearly, people that manage infrastructure have a motive to keep the infrastructure up and operating so it's not like government has to provide a lot of penalty for failure to deal with issues, but it can be proactive and help people that run these infrastructures understand the nature of the problem and get them information as quickly as possible. I think that would go a long way to helping. Some type of information exchange there would probably be a good idea.

CHABROW: Where in government would this information exchange originate from? Would that be something in the White House, Homeland Security?

SLOANE: You can put it any one of a number of places. Of course, the president has indicated he wants to put a cybersecurity czar in place and that would be a good place to coordinate it. Where it physically resides I think is less important. What is more important is that the various elements of government contribute to it, because different parts of the government have different insights and different information about the nature of cybersecurity issues. If you could get everybody to contribute to a centralized database, afford one stop shopping if you will, for information exchange that would be very helpful.

CHABROW: Are you troubled with the delay by President Obama in naming a cybersecurity adviser, and is that hindering the federal government's efforts to better secure not only federal government IT but the critical IT infrastructure of the nation?

SLOANE: There is certainly an imperative to get somebody in place and we have a lot of issues that have to be addressed. For me, it's not so much the time, although I would say there needs to be urgency around it, but more is the nature of the job, responsibility, accountability, and what the person has the ability to control. The structure of the job is certainly as important as the timing.

CHABROW: At the moment, the structure of this job has not really been defined. The president said that individual will report to both his national security advisers, national economic adviser, do you think that makes sense?

SLOANE: For me, I don't care so much where it reports. What is more important is what authority and what control that person has to in order be able to affect the role and the changes that I think need to be made. Reporting isn't the issue. It is what ability, what tools do they have, what access to the White House they are going to have in order to be able to perform the role affectively, and to me that's not an issue of so much where it reports.

CHABROW: Have you heard enough to feel comfortable with that position, having that kind of authority or not?

SLOANE: I would have to say I think it needs more definition. My guess is there are a lot of discussions going on. I've been fairly vocal in my communications to everybody I could get to listen with respect that they need to understand that the role is not just about protecting government networks. This role has to span government and commercial enterprise. In fact, it is even an international issue, because in order to affectively address some of these cybersecurity problems, we're not going to be able to do that independently. The U.S. will not be able to do that without the cooperation from other countries. A lot of these cyber criminals reside outside of the U.S. A lot of the foreign intelligence activities that are targeting U.S. networks are obviously outside of the U.S., and those kinds of issues don't get addressed without some fairly intense diplomatic and political activities.

CHABROW: As recently revised, the proposed U.S. Information and Communications Enhancement Act, or U.S. ICE - the bill to reform the federal information security management act, FISMA - would shift much of the authority for governing federal IT security among civilian agencies to the Department of Homeland Security from the Office of Management Budget. What is your view on granting Homeland Security more sway in determining federal cybersecurity policies and processes?

SLOANE: I'm fine, frankly, with wherever it reports. To me, what's more important is the scope of the job and the ability to control the resources in order to affect the changes. No matter what department or what agency it reports to, or who has responsibility, it's going to require a broad government effort and it's going to require collaboration with the private sector as well as international. No one agency has a kind of a band of control across that whole space, so it really ends up being a job of coordination and that could be done by Homeland Security or frankly anyone else.

CHABROW: Let's talk about the private sector. What role should the private sector play in helping formulate any government policy dealing with cybersecurity?

SLOANE: Most companies would prefer not to have the government be too involved in making their day-to-day business. The government certainly can incentivize private companies and, frankly, there is an inherent incentive to want to protect your intellectual property and your company network, so the government doesn't have to be very punitive in its approach to commercial industries. It's more about providing information and access to resources and assistance to help understand the nature of the problems and affective ways to deal with it. I don't think that requires a lot of legislation and kind of process rules. It can be done more in a collaborative fashion with industry associations, advisory groups, there's a variety of ways the government reaches out to industry today and those can be very effective.

CHABROW: You sound a bit concerned though that you feel that there are some quarters in government that might want to institute some kind of regulation. Is that a big concern?

SLOANE: That is always a concern. We try and have government serve the people not vice versa. I think all of the U.S. wants to make sure that government is as limited as it needs to be. That said, some of these things can only be addressed through the resources of federal government because of the breath of the problem, the nature of the problem, the technology of the problem; it's not something that any individual company can address. It requires a collaborative effort. The trick is how do you get the balance?

CHABROW: And do you know how to get the balance?

SLOANE: Well, like I said, I would air on the side of an industry exchange collaborative type organization that stops short of legislation and regulation. I think a lot can be done without that. The other thing is to get the government to provide a more centralized way to access the information about this. Today, there are a lot of different things that you would certainly categorize as cybersecurity issues that really span the government, everything from the intelligence community to military networks to health networks, and therefore there are compartments of information around the federal government about the nature of these problems and if we could get that some place where people could access it and share it, it would be more effective.

CHABROW: Gardner recently came out with a prediction that by the middle of next decade government will regulate the information technology sector. Gartner is basing its beliefs, in part, to what has occurred in other industries as they matured. Did you see that Gardner report?

SLOANE: Yes.

CHABROW: Do you think it has any credence?

SLOANE: I think what will happen, barring some other intervention. The problem is going to get worse; it's getting worse pretty rapidly. Probably, what will happen is that it will get to the point where there will be a call for government involvement. There will be some crisis or some disaster, something will shut down the electrical grid for a couple of days or something that will trigger a response; that's certainly feasible. The current environment seems to be more government regulation on things than less. So, yes.

CHABROW: If regulation happens, you want to obviously minimize it?

SLOANE: Yes, I think like everything else, too much regulation is not helpful. First of all. too much regulation won't solve the problem. You can regulate whatever you want, but if people aren't able to comply with it or be knowledgeable enough to comply with it, it is kind of pointless.

CHABROW: Let's talk a few minutes about your company. What are the biggest challenges faced by SRA in providing cybersecurity services to help the federal government secure its IT systems?

SLOANE: It's a booming field these days. We have a lot of demand, so there is always the issue of enough experts, enough people to throw at the problems. We are stretched a little bit in terms of trying of trying to staff all of these programs we have. I would argue that cybersecurity is not solely a technical problem. It is equal parts, technical, business process and policy. Certification and accreditation is a bigger problem as particular virus detection issues. It is really trying to combine all of those things and develop a more comprehensive and systematic approach to dealing with the problems.

CHABROW: What kinds of cybersecurity skills, whether it's technical or processor or policy, are you looking for in the employees that you use to help service the government?

SLOANE: Well we have a fairly broad base cybersecurity practice. Our practice covers everything from forensic analysis - in other words post-mortems on what happened in cybersecurity issues - to business process re-engineering, helping organizations move to a more secure cybersecurity posture from whatever they have today, implementing technologies but not necessarily selecting them. The other end, we have what I would call the architectures and the products, which are used to detect and as well mitigate cybersecurity threats to really work across that whole spectrum. Therefore, the kind of folks that we are looking for are fairly diverse and not any one person typically has skills across their whole domain, so it's a mix of folks with technical skills, people who have been through managing organizational change related to cybersecurity and folks that understand what it takes to get systems certified and accredited.

CHABROW: Are you optimistic, pessimistic or cautious about the future of the security of both the government's IT systems as well as the critical IT infrastructure of the country?

SLOANE: I'm an eternal optimist in my outlook on life, so I will say that I am optimistic but there certainly are challenges that I have every reason to believe that we'll address those challenges affectively as a nation, but we do have challenges.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.