By: Larry Clinton, CEO/President
Last week, I commented that given we have spent much of the last decade developing a consensus on an overall approach to cybersecurity as articulated in both the House GOP Task Force on Cybersecurity and President Obama’s Executive Order 13636, the one thing we don’t need from the newly appointed President’s Commission on Enhancing National Cybersecurity is a new “plan.” We need action.
For the next several weeks, I’d like to offer my own top ten list of what actions the next Administration ought to undertake to improve cybersecurity.
Item one: Government needs to get its Own Act Together with Respect to Cybersecurity.
Government’s credibility in educating, let alone regulating and mandating, cybersecurity in the private sector is clearly undermined by its lack of demonstrated ability to manage its own house.
A 2015 study by Veracode compared civilian federal agencies (not DoD or Intel) to the private sector and found the federal agencies ranked dead last in fixing security problems in software they build and buy. Federal agencies failed to comply with security standards 76% of the time.
Greg Wilshusen, Director of Information Security Issues for the Government Accountability Office, explained in Congressional testimony some of the reasons the federal government doesn’t benchmark well against the private sector on cybersecurity.
“Agencies rarely have adequate procedures for testing for security. When we evaluate agencies we tend to find that their evaluations are only interviews with people…they don’t actually test the systems. We constantly find vulnerabilities that we identify as part of our testing and audit procedures that are not being found and fixed by the agencies.
“Government agencies follow what IT pros call a policy based approach to cyber security where agencies check off a list of requirements set by lawmakers and regulators that they have to follow.
“Private companies typically do the same thing (because they have to) BUT they also add to their mix a risk-based approach. With a risk-based approach you look at what the attackers might want and what’s in place to stop them.”
Consistent with the finding that government procedures to protect their own information security are inadequate is the finding that government is not structured to manage or effectively govern for cybersecurity.
A 2015 Bank of America Merrill Lynch report found “the U.S. government is still in the process of determining who will have jurisdiction in cyberspace. As the Department of Defense, DHS, and their subordinate organizations like the U.S. Air Force, Army, Navy, Defense Agencies, and Commands battle for jurisdiction and funding, the result is a fragmented system muddled with a political agenda, which hinders the development of a more secure system.”
The chaotic and disorganized governmental structures are not just inefficient; they have serious downstream, negative implications for citizens and the private sector. Government’s lack of clarity as to how to manage its own security leads to confusion, redundancy and inefficiency for the private sector, complicating an already daunting problem.
Much of government’s organizational problem emanates from the lack of responsiveness to the Digital Age. Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator, has made this case: “We’ve got architectures in various places (in the federal government) and hardware and software that is indefensible…. We tend to treat these computer systems…as these gigantic capital investments like buildings, rather than an investment that you need to continually refresh and treat more like a revolving fund or a management budget,” remarked Daniel.
However, a larger factor comes from government’s unwillingness to manage itself. It is only slightly hyperbolic to note that the most powerful force on Capitol Hill is not policy, or partisanship, or even money — its turf. There are currently scores of congressional committees that have jurisdiction over the Department of Homeland Security (DHS). With so many chiefs commanding the Indians, it’s no surprise the nation is poorly defended.
A new President and a new Congress need to seize the opportunity to reorganize government for the digital age, including the budgeting process. Moreover, government needs to inject systemic rigor into managing their own programs. This does not currently exist with respect to cybersecurity.
In addition, all current and future government cybersecurity programs ought to have clear objectives that are subject to a cost benefit analysis (CBA). Although President Obama’s Executive Order called for the NIST Cybersecurity Framework to be subjected to cost benefit analysis, there has been no such effort. Programs need to be periodically evaluated and, if cost benefit cannot be demonstrated, then the program needs to be reformed or canceled. If a reformed program still fails the CBA test, responsibility for the program should be shifted. If the program still cannot pass CBA, it should be canceled.
Contact Larry Clinton
Join the mailing list.
15 Years of Cybersecurity Experience and Thought Leadership Culminates in ISA’s Newest Publication:
SOCIAL CONTRACT 3.0
“If you had ten minutes to talk to the next President about cybersecurity, what would you say?”
We asked just that question of our ISA Members, Associates and Friends representing an international coterie of C-level cybersecurity experts and thought leaders. Their answers became Social Contract 3.0, a new book from ISA rich in cybersecurity analysis and leadership across a wide range of topics and sectors.
SAVE THE DATE! We will launch Social Contract 3.0 at our 15 Year Anniversary Conference in Washington, DC, September 15 and 16. The Conference features panels from our experts along with keynote speeches from U.S Government leaders in Cybersecurity Policy and Legislation.
SPACE IS LIMITED! If you would like to attend or receive more information, contact us.
JOIN THE MAILING LIST – send us your address to stay up-to-date on our ISA blogs and events.
Interested in more information about the Internet Security Alliance? Read On.