Internaut: Security will stay front and center in 2005
Shawn P. McCarthy
As 2004 winds to a close, I thought it ap- propriate to look toward 2005. Here are some interesting security issues to watch for in the weeks ahead:
- Expect greater government use of really simple syndication, or RSS, data feeds to share security and emergency information among agencies.
Such feeds, structured to share information in a tagged, standardized way via Extensible Markup Language, are often used by news organizations and bloggers to publish articles, making them quickly available to subscribers.
Agencies are realizing RSS can be used for everything from emergency alerts to monitoring the status of public utilities and providing details on new systems or resources.
Some examples: This year, the National Hurricane Center, a service of the National Weather Service, started to provide hurricane advisories via RSS feed; and the state of California offers Emergency Digital Information Services at www.edis.ca.gov
- The Defense Department's effort to reduce the number of public-key infrastructure systems it supports is just an opening salvo.
PKI standardization is likely to continue across the government. Expect to see similar decisions in other agencies because many offices struggle with PKI tools that don't always interact well with one another. Dave Wennergren, Navy CIO and chairman of the DOD Identity Protection and Management Senior Coordinating Group, told GCN in November that DOD may cut back to a single PKI. It's an obvious problem, and standardization is an obvious solution.
- Computer hacking activity often jumps in December.
One theory is that students are out of school, and those who feel malicious have more time to try their hand at hacking.
If you are a federal government employee and notice a cybersecurity problem of any type, visit the Computer Emergency Readiness Team at www.us-cert.gov/federal
. There you can report what you've seen and possibly help shut down security problems.
- We should learn more about the state of agencies' IT security.
It's been about a year since the House Government Reform Committee issued its constructively critical Federal Computer Security Report Card. An updated document is reportedly in the works and should be issued this month.
Last year's report gave the Homeland Security Department an F for its cybersecurity capabilities. The new report is likely to ask that federal CIOs be empowered to develop and implement effective security strategies and focus on enterprise solutions. This will mirror last summer's action by the CIO Council, which issued a document about how privacy and security should be addressed within OMB's five enterprise architecture reference models.
- Expect to see a slew of new products aimed at improving patch management and installation across large government enterprise systems.
Though such products already exist, patch management remains a huge challenge for many government network security officers, according to a study by systems integrator Intelligent Decisions Inc. of Chantilly, Va.
Those surveyed listed patch management as their top concern. This important element of security management is critical to limiting the vulnerability of government systems, but automated patch management is often taken less seriously than firewalls and virus-scanning software. The new products will likely appear because managers are spurred on by compliance requirements of the Federal Information Security Management Act.
Whatever happens as 2004 closes and 2005 dawns, cybersecurity issues will remain on government agencies' front burners. We'll be addressing many of them in the New Year. Good luck. Shawn P. McCarthy is senior analyst and program manager for government IT opportunities at IDC of Framingham, Mass. E-mail him at firstname.lastname@example.org.