Obama's Cybersecurity Push: What It Means for CIOs

President Obama aims to fix U.S. cybersecurity, but can the feds hit a moving target? Not without private sector support and practical solutions.

1 2 Page 2
Page 2 of 2

Existing federal IT security regulations—namely the Federal Information Security Management Act, or FISMA—often mandate hundreds of items to check off on a list, including such basics as password protection for sensitive applications. But FISMA doesn't guide IT managers about what kind of password works best (the Consensus Audit Guidelines call for 12 semirandom characters and two-factor authentication).

"You end up filling out long forms showing you comply but you're not necessarily secure," says Schultz of Emagined Security. He tells the story of a national laboratory that didn't have firewalls protecting its network, as mandated. But the lab passed the audit by convincing the auditor that routers were a worthy substitute, Schultz says.

"FISMA is a waste of taxpayer money," he says. "These are not standards that help an organization stand up to the kinds of attacks that occur nowadays."

None of Gilligan's 20 critical controls "is advancing the state of the art," Gilligan acknowledges, meaning that many security experts could come up with a similar recommendations. But the fact that it's spelled out in a prioritized list and known to be effective in protecting IT systems removes the guesswork. Organizations have a clear rule to follow and a procedure for implementing it, monitoring it and measuring it to improve ongoing security protections.

That's different from checklist compliance. "It's a culture shift we're advocating," Gilligan says. Measurement of progress is key. In many organizations—government and private sector alike—fights emerge over basic definitions of "secure," never mind how to achieve it, adds CSC's Mintz. When he was CIO at the DoT, he says, "it became clear that there was no generally agreed to way of measuring how secure we were. If you considered perfectly secure as a 10 and no security at all as a one, we knew we were above a one and below a 10, but that was about it."

That's the kind of situation Obama has criticized. "It's now clear this cyberthreat is one of the most serious economic and national security challenges we face as a nation," he said in May. "It's also clear that we're not as prepared as we should be, as a government or as a country." (See Obama's Cybersecurity Coordinator Has Broad Agenda).

Bigger thinking is needed, Obama said. "Just as we failed in the past to invest in our physical infrastructure—our roads, our bridges and rails—we've failed to invest in the security of our digital infrastructure."

Gilligan knows his is one of dozens of proposals vying for attention from the Obama administration, including ones from various industry trade groups aimed to influence whatever new rules emerge.

The Cost of Being Secure

In government and in corporate America, concerns about immediate cost can outweigh concerns about long-term safety. "There is concern that fixing some of the security problems will be expensive and harmful in the economy," Spafford says. The Department of Homeland Security, for example, has requested $918 million for fiscal 2010 for information technology. That's 15 percent more than 2009 and that's before Obama has made any cybersecurity moves.

In health care, to spur providers to enter the 21st century, Obama has designated $19.2 billion in stimulus money as available in return for building electronic medical records, computerized order entry and other tech-enabled medical processes. Providing such incentives to banks, power companies and transportation providers in return for updating their security is a good start, says Kurtz of Good Harbor, but it promotes too much short-term thinking.

"That would bring us back to checklists again," he predicts, as companies could scramble to meet minimum requirements by a deadline rather than plan a larger, longer-term strategy.

Short-term thinking is a national problem, agrees Spafford. Banks please shareholders quarter by quarter. Carmakers can't think much beyond the current model. And look what happened to those industries. To average citizens, cybersecurity is less pressing on any given day than paying the mortgage, keeping or finding a job and avoiding swine flu. Obama has to make cyberpolicy urgent enough to overcome "the real world," as Spafford puts it. Spafford and other security experts praise Obama for bringing attention to the digital world upon which the United States so depends. But Obama's report, which urges government and industry to work together to unify security practices and metrics, espouses nothing new. They're hoping, rather, for inspiration to reach new heights.

"We need high-intensity, long-term development efforts," Spafford says. "Think of the Manhattan Project or the space race. We need that in cybersecurity."

Do you tweet. Follow me on twitter @knash99. Follow everything from CIO Magazine @CIOMagazine.


Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download CIO's Roadmap Report: Data and analytics at scale