- By Thomas R. Temin
- May 14, 2002
Thomas R. Temin
As in the aftermath of other crises in U.S. history, the government instinctively began creating new offices following the Sept. 11 attacks.
There's the cybersecurity adviser to the president, the Transportation Safety Administration and the Office of Homeland Security. A bill sponsored by Sen. Joseph Lieberman (D-Conn.) would consolidate domestic security activities, including cybersecurity, in a Homeland Security Department.
As things stand now, when it comes to what many experts say will be a major battleground, information systems, there is no single authority for assessing the readiness of agency systems'no Richard Clarke, no CIO, nobody at the Office of Management and Budget.
No single set of standards, procedures, measures or metrics governs computer security. In fact, the field is populated with a collection of acronyms for the standards, metrics, procedures and bodies that develop them: D-IART, IAVA, DITSCAP, INFOSEC, VA/RM, IPMMP, SNAM, SSE CMM, RAI, IA RMT and IDART are but a few.
Such diversity is for the good, some security experts say. In a recent presentation at the Software Technology Conference, Ray Vaughan, a computer science professor at Mississippi State University and an expert on federal IT security efforts, said, 'It would be a mistake to say one size fits all. Security metrics need to be tailored to each organization.'
Fighting cyberwarfare is analogous to fighting in reality, in that you need a wide choice of weapons and strategies because no two situations are identical.
He and Ronda Henning, a systems security engineer in the government communications systems division of Harris Corp., had this advice for government systems managers: 'Figure out which [metrics] are best for your organization and work on adopting them.'
An overarching authority will be beneficial if it forces agencies to confront their security threats once and for all. But common sense says, let each organization figure out for itself which tools to use.