Obama's Cybersecurity Push: What It Means for CIOs
President Obama aims to fix U.S. cybersecurity, but can the feds hit a moving target? Not without private sector support and practical solutions.
>
None of Gilligan's 20 critical controls "is advancing the state of the art," Gilligan acknowledges, meaning that many security experts could come up with a similar recommendations. But the fact that it's spelled out in a prioritized list and known to be effective in protecting IT systems removes the guesswork. Organizations have a clear rule to follow and a procedure for implementing it, monitoring it and measuring it to improve ongoing security protections.
That's different from checklist compliance. "It's a culture shift we're advocating," Gilligan says. Measurement of progress is key. In many organizations—government and private sector alike—fights emerge over basic definitions of "secure," never mind how to achieve it, adds CSC's Mintz. When he was CIO at the DoT, he says, "it became clear that there was no generally agreed to way of measuring how secure we were. If you considered perfectly secure as a 10 and no security at all as a one, we knew we were above a one and below a 10, but that was about it."
That's the kind of situation Obama has criticized. "It's now clear this cyberthreat is one of the most serious economic and national security challenges we face as a nation," he said in May. "It's also clear that we're not as prepared as we should be, as a government or as a country." (See Obama's Cybersecurity Coordinator Has Broad Agenda).
Bigger thinking is needed, Obama said. "Just as we failed in the past to invest in our physical infrastructure—our roads, our bridges and rails—we've failed to invest in the security of our digital infrastructure."
Gilligan knows his is one of dozens of proposals vying for attention from the Obama administration, including ones from various industry trade groups aimed to influence whatever new rules emerge.
The Cost of Being Secure
In government and in corporate America, concerns about immediate cost can outweigh concerns about long-term safety. "There is concern that fixing some of the security problems will be expensive and harmful in the economy," Spafford says. The Department of Homeland Security, for example, has requested $918 million for fiscal 2010 for information technology. That's 15 percent more than 2009 and that's before Obama has made any cybersecurity moves.
In health care, to spur providers to enter the 21st century, Obama has designated $19.2 billion in stimulus money as available in return for building electronic medical records, computerized order entry and other tech-enabled medical processes. Providing such incentives to banks, power companies and transportation providers in return for updating their security is a good start, says Kurtz of Good Harbor, but it promotes too much short-term thinking.
Security
Receive the latest security news as it breaks.
