William Jackson | What leadership can do
Cybereye'commentary<@VM>Coda | NIST Computer Security Division sums it up
- By William Jackson
- May 15, 2008
THE OLD SAW that you can lead a horse to water but can't make it drink is true, but you can't expect it to drink if you don't lead it to water in the first place. That's the conclusion of former presidential assistant John Koskinen on the role of government in improving the country's cybersecurity.
The proper role of government in issues that Congress and the White House cannot effectively legislate or regulate ' such as cybersecurity ' is to bring the parties together and 'drive the point home that this is a serious matter,' he said. 'If you don't get the right level of leadership, you don't get much traction.'
Executive leadership of information technology security has been largely lacking for the past seven years. The Center for Strategic and International Studies will offer suggestions to the 44th president in the hope of giving IT security a higher priority in the next administration, and it recently invited Koskinen to share his thoughts on the subject.
'I am not an information technology expert, and I'm not current with a lot that has gone on since 2000,' Koskinen said. In Internet years, it has been a lifetime since Koskinen was chairman of the President's Council on the Year 2000 Conversion. Since 2004, he has been president of the U.S. Soccer Foundation. But he offered an assessment of how the lessons of Y2K could be applied to cybersecurity.
There are differences between the two. 'One of the great things about the year 2000 was that there was a deadline,' he said. But there also are similarities. Everything is potentially at risk and should be addressed at the same time, he said, within and across public and private sectors. This cannot be managed by a centralized authority issuing mandates.
The key to success in challenges such as these is self-interest, Koskinen said. 'It is a terrible waste of time and money for organizations to do this alone and keep reinventing the wheel.' But competing companies are hesitant to cooperate with one another, and all of them distrust the government.
'The major challenge will be in freeing up the exchange of information,' he said. Koskinen managed that for Y2K by convincing Congress to pass legislation limiting liability so companies could more easily share information without fear of antitrust action or incurring liability if something went wrong.
Cybersecurity was supposed to be the next Y2K. But that was derailed when a new date ' Sept. 11, 2001 ' was burned into the public consciousness. The mantra since then has been homeland security, and the focus has been on physical security.
The demands of physical security will not disappear in the next administration, but there will also be a great opportunity for government to be an honest broker in cybersecurity.
The Federal Information Security Management Act gets mixed reviews for its effect on government information security, but one item that draws praise is the body of security specifications, guidelines and standards that have been generated under FISMA by the National Institute of Standards and Technology.
These are largely the work of the Computer Security Division of NIST's Information Technology Laboratory, which recently released its annual report for fiscal 2007 (GCN.com/1063). During that time, the division published 18 special publications in the 800 series and 14 draft versions of the special publications on subjects such as 'Recommendations for Random Number Generation Using Deterministic Random Bit Generators' (SP 800-90) and 'Recommended Security Controls for Federal Information Systems' (SP 800-53 Rev. 1). It also issued its 'Guide to NIST Information Security Documents' in March 2007 to help make the documents more accessible.
The first phase of the FISMA Implementation Project, intended to give agencies practical guidance in complying with information security requirements, accomplished a great deal. Phase 2 will focus on the development of a program for credentialing public- and private-sector organizations to provide security assessment services for federal agencies.
Another accomplishment during the year was establishing the Information Security Automation Program for the automation and standardization of technical security operations with automated vulnerability management and policy compliance evaluations.