Another View: DHS' cybersecurity chief: 0rchestration vs. regulation
- By Ralph Buona
- Sep 21, 2005
The Homeland Security Department recently undertook a critical step toward safeguarding the nation's information assets by creating an assistant secretary-level position dedicated to cybersecurity. This timely and prudent action should be lauded.
However, two fundamental questions remain for this new maestro. Will the new cyberchief have greater authority to create security requirements for all federal agencies? How will DHS further strengthen its relationship with private industry organizations whose business operations also impact national security?
Protecting the government's information assets alone is a complex mandate. Newly minted regulations and initiatives promote better information assurance practices, but each tends to create a resounding set of effects that come with their own set of challenges.
The Federal Information Security Management Act is a prime example. FISMA outlines the information assurance measures required for federal agencies, and while it helps agencies improve the security of their technology, compliance is time-consuming and paper intensive. Many agencies claim that satisfying FISMA reporting requirements exceeds time spent implementing the actual security measures. Clearly, this is an untenable situation. Federal agencies' security teams will crumble under the weight of more security reporting requirements.
With this in mind, how can DHS be effective without requiring that specific security precautions be applied? Cyberthreats are constantly evolving to circumvent countermeasures; viruses mutate hourly and hacker sophistication changes minute by minute. The federal government will utterly fail to protect information assets if it attempts to address security on an annual schedule.
And if protecting the U.S. government's information assets wasn't a large enough task, DHS must help protect organizations that fall outside of its jurisdiction. Banks, credit card companies and power companies are likely targets for future attacks. As the attacks of Sept. 11 demonstrated, terrorists aren't just targeting symbols of government, but our economic infrastructure as well.
Certainly, protecting private-sector assets is the responsibility of the individual organizations, but it's clearly an issue of strong national interest to ensure that effective security measures are in place.
The role played by DHS in this domain will be a sensitive and complex one. Private organizations will always be wary of having information security policies dictated by the federal government. Yet they will look to the government for guidelines and assistance.
To help better protect our nation's government and business interests, DHS' office of cybersecurity must look to partnerships with federal agencies and with the private sector. The answer lies in creating harmony among the numerous producers and consumers of security offerings. By providing access to easily understood information about best security practices, and free and commercially available tools, DHS can improve the ease and likelihood of effective information asset protection.
Security teams in the public and private sectors are dedicated to securing their organizations. Rather than dictate more rules for them to decipher and implement, DHS should provide guidance about how better to improve security. By spending less time focused on regulations and more on providing ideas for best practices and alerts about emerging threats, DHS will improve the national response rate to new potential attacks.
The new cyberchief should be a highly visible champion of security procedures and best practices that can ultimately fulfill the needs of public and private organizations.
As the conductor of this complex and vitally important orchestration, the new cyberchief must ensure the effective use of public and private-sector contributions. There are many challenges yet to be addressed, and the threat of attack grows with every passing day. DHS appears willing and able to tackle the significant challenges ahead, and we eagerly await the results.Ralph Buona is vice president of business development for Telos Corp. of Ashburn, Va., and a principal member of the Homeland Security and Defense Business Council. An Air Force veteran, he has worked with the federal government for the last 23 years.