Feds' Enterprise Approach to CybersecurityGetting Agencies to Harmonize on the Way They Secure IT
Tackling cybersecurity as a single enterprise, rather than through 26 major and 100-plus smaller departments and agencies, is one of the Obama administration's IT security aims, White House Cybersecurity Coordinator Howard Schmidt says.
Schmidt, in a video interview with GovInfoSecurity's Eric Chabrow, addresses the importance of the Department of Homeland Security being the lead agency that assures the civilian, .gov part of the federal government - non-military, non-intelligence agencies - is in harmony as departments and agencies meet their IT security challenges.
It's not that Schmidt doesn't have faith in departmental and agency chief information officers and chief information security officers; as a group they're doing a fine job, he says: "We have really talented CIOs and CISOs out there across the .gov environment, but what happens is they're starting from different places."
After having conversations with agencies' IT security leaders, Schmidt noticed that some agencies were well on their way to being compliant with the Federal Information Security Management Act, the law that governs federal cybersecurity, while others, because of how they prioritized their IT security initiatives, weren't as advanced as they should have been. "This harmonizes that," Schmidt says.
Schmidt says Homeland Security has a growing pool of experts who can help agencies achieve their IT security goals and can provide agencies IT security direction through a year-old program called CyberStat. In CyberStat sessions, cybersecurity experts from DHS, the White House Office of Management and Budget and the national security staff help agency IT security leaders develop actions plans to improve their information security posture.
Agencies also share resources to make sure they have the capabilities to move forward quickly with their infosec initiatives, Schmidt says.
In the interview recorded at the RSA Conference 2012 security conclave that ended earlier this month, Schmidt also:
- Discusses the importance of codifying best security practices implemented by the Obama administration in a new cybersecurity law;
- Addresses progress in the Trusted Internet Connection, an initiative that reduces the number of connections between the Internet and federal networks, and the Einstein 3 intrusion protection initiatives;
- Explains why he's optimistic that Congress could enact significant cybersecurity legislation this year.
Obama named Schmidt as special assistant to the president in late 2009; he started his job as cybersecurity coordinator in January 2010.
ERIC CHABROW: Legislation is before Congress. The President has his own proposals to reform the Federal Information Security Management Act. There's still some question whether legislation is going to pass. Is it really needed, because aren't you already doing a lot of what the legislation says?
HOWARD SCHMIDT: That's correct and that's when we look at two parts of this, the proposed legislation the President put forward with what are things that we really need Congress to do to help us with some of these things? Some of them, as you know, are very clear: enhancement penalties for cybercriminals, authorities for DHS to hire and be more competitive with the private-sector folks, the ability to share information with private sector and vice versa. But the part and component that we've been doing via memo - we believe since FISMA was a piece of legislation, we would like to have codified in the law the changes to FISMA relative to continuous monitoring and more importantly DHS's role as the body that treats the .gov environment as a single enterprise as opposed to 26 plus and 100-plus smaller organizations.
Harmonizing Different Agencies
CHABROW: Let's follow through on that point. Don't the CISOs know best how to secure their organizations?
SCHMIDT: Yeah, and it's not a matter of they don't because we have really, really talented CIOs and CISOs out there across the .gov environment, but what happens is they're starting from different places. For example, when we sent the memo to talk about continuous monitoring, moving away from an environment where you're just creating reports to be compliant while still unsecure, the idea is we can be more secure, which makes us FISMA compliant. Some agencies were well down the path of doing that and had pretty good processes in place. Others were just, because of prioritization, the way their organization looked at it - this harmonizes that. This gives a framework by using what we call CyberStat sessions with the departments and agencies, the experts over there sitting down with DHS and sort of walking through the Presidential priorities, TIC, the continuous monitoring and the use of strong authentication, be able to sit there and then actually track that. For those that need some help, we do share resources to make sure that they have some capabilities to move forward quickly. That's the real benefit that we get from this.
Trusted Internet Connection
CHABROW: You mentioned TIC, the Trusted Internet?
SCHMIDT: Trusted Internet Connection.
CHABROW: Which is sort of monitoring and narrowing the number of links between the Internet and the government, correct?
SCHMIDT: That's correct and something that those of us who have been doing this for a long time fully recognized, and we've said many times - complexity is the enemy of security. At one point ... and companies were in the same boat for a number of years, you have literally thousands and thousands and thousands of connections between your business units, your employees and the Internet. It's difficult to do intrusion detection, intrusion prevention; it's difficult to do malware blocking at an enterprise level and that's the idea of TIC, to collapse it down to a more manageable number. The DHS will be out there as the service provider, if you would, for the rest of the departments and agencies so they can actually focus on what their business needs are, and not so much building infrastructure that's sort of shared by everyone.
CHABROW: Do you have any metrics to show of the success of TIC?
SCHMIDT: We have some coming up. As a matter of fact, the Office of Management and Budget - OMB - has recently put together these cybersecurity goals and will be posting those on the Internet in those three areas: continuous monitoring, use of strong authentication - or the HSBD-12 is what we call it - and also the TIC deployment.
CHABROW: You also mentioned intrusion protection and I think of Einstein, the various modes of Einstein. Einstein 3 is to actually prevent?
SCHMIDT: That's correct.
CHABROW: Where do we stand with Einstein 3?
SCHMIDT: Einstein 2 is pretty well down the road and that's intrusion detection. The intrusion prevention, or Einstein 3, is the next stage which is why we're looking to consolidate this with DHS, once again to have a common platform so we can do intrusion prevention, and that's the secret to it. As governments, as businesses, as citizens, we've always done a good job about recovery and in this case we're trying to be more preventative.
CHABROW: Cybersecurity reform legislation before Congress - there seems to be widespread support for it, but there's a certain area that there are some partisanship being shown which is over regulation. And the way I look at the President's proposal and the Senate bill, it seems that's a compromise. In other words, the government is not regulating. They're asking business to identify how they would enforce security and then it would be the role of government to make sure they do that. If that's a compromise, it's still having a tough time in Congress. How do you get around that?
SCHMIDT: I don't know if it would be a compromise, nor do I see it as being a partisan issue other than people believe truly there [are] different ways to address the same problem, and that's the part that we're very thankful that Congress is working both bi-partisan and bi-cameral on solving this issue. Our proposal, when you look at what people refer to as a regulation component, we want to make sure that in the narrow piece of core critical infrastructure that there's some level of assurance that we can tell the citizens that companies that provide your water, electricity, transportation system are doing the agreed upon industry international standards to do best practice in cybersecurity. If they are, there's no problem.
The idea is having this group put together with Homeland Security, and under the leadership of the secretary of Homeland Security, to identify what is core critical infrastructure. Once that's identified - and in some cases it may be a business unit, in some cases it may be a specific service, to agree on that - once that's agreed on, to identify what's being done, and I'll give you an example. If a company who's agreed upon has been identified, their business unit is core critical infrastructure says, "Yeah, we're doing all these things," but access to the digital control device that lets water out of a facility for electricity generation, you can just log in with user ID and password, I think we know there are better ways of using strong authentication and encryption. They come back and the government says, "Are your industry peers as well as government experts saying you should be using strong authentication and encryption?" They say, "Okay, you're right. We'll do that, and we'll start down the path." That's a good thing.
But there's also the possibility that somebody says, "We don't believe the risk is there. We don't think it's something we want to change our business process; we're going to go with it." It's not a matter of going around and now the government comes in, but it says, okay, you decide that you don't want to do that, so me, as a government, do I want to do business with somebody that's not going to do the basic security things? You as a corporation owner, do you want to do business with someone that does the right thing when it comes to cybersecurity or are you going to go with somebody that does? That's sort of the impetuous of this thing and that's the part we really [have] to reconcile. This is not asking people to do what they shouldn't already be doing, just as a core business process.
CHABROW: You tend to be an optimist, at least from my previous conversations with you. Are you optimistic about this?
SCHMIDT: I am and here's why. People fully recognize that there are threats out there. We have vulnerabilities. While we work to reduce the threats through some of the great activities that the law enforcement community is doing, arresting some of the criminals out there, we can't just say, "Okay, the threat, we're going to mitigate that but not take care of the vulnerabilities." Congress recognizes it. The administration, the executive branch, private sector recognizes it, and it's a matter of, and I've said for a long time, while we may not agree on everything, let's agree on the things we do agree on and move that forward.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.