Coviello: Better times ahead for government IT security
New administration and a heightened awareness point to a new priority, according to RSA Security CEO Art Coviello
- By William Jackson
- Nov 18, 2008
Government has increased its productivity with the use of information technology, but at the cost of greater threats to information systems, according to Art Coviello, president and chief executive officer of RSA Security Inc. of Bedford, Mass.
'We have created a degree of openness in our systems that increase the risks,' Coviello said, but added that agencies have not kept up with the job of managing those risks.
Coviello, in Washington to meet with government customers, added that he is heartened by an increased level of awareness in government of cyber risks and threats.
'More and more attention is being paid to criminal attacks on our intellectual property,' he said. 'I see a happy confluence of events with President Bush's call for a comprehensive cyber security initiative and Barack Obama's heightened interest.' The president-elect, he said, 'was the first one to raise this as a serious campaign topic. What I though would happen in 2003 with the release of the Strategy to Secure Cyber Space is now gaining momentum.'
Despite the 2003 strategy, the establishment of an assistant secretary for cyber security in the Homeland Security Department, and the passage of the Federal Information Security Management Act, government IT security is not better now than it was five years ago, Coviello said. But that has not been for a lack of effort. There has been a lack of adequate resources to effectively manage the risks that have been multiplying as information systems become more complex, connected and interactive.
'It's simple,' he said. 'People and money. Throwing technology at the problem is not going to cut it. We have to get smarter. Systems are more than technology.' Effective security systems include the right people to define and understand the risks, the right policies and procedures for managing them, and having enough people to use the technology you have.
Many of these elements are incorporated in FISMA goals, and Coviello said that although the law may be getting a little long in the tooth, it has contributed to the increased awareness of IT security. But it has not been adequately funded, he said.
'What has contributed more to the rising awareness is the threat,' he said. 'There is no doubt we are under attack by criminals and nation states. And I think people are getting smarter about the issue. The first step in solving a problem is understanding that you have one.'
Coviello said he is encouraged by Obama's intention of bringing direction the government's cyber security into the White House. That would give increased leverage to DHS, which has been given the lead in cyber security under the present administration.
The immediate financial crisis could be a bump in the road toward improved security, he said. 'But I think that the stakes are too high. I don't think it will become less of a priority. I'm hopeful that with the transition we won't take a step backward before we take one forward.'
Coviello said he did not think that significant changes are needed in the present administration's cyber initiative, which is just now getting under way.
'What we need is consistent follow-through,' he said. 'Almost any plan that is well-thought-out, and this one is, will work as long as somebody executes against it.'
Coviello would not attempt to quantify the risk of cyber warfare conducted by nation states, but pointed out that other nations already appear to have challenged our defenses. 'I don't think it would be wise to wait to see if cyber warfare is a legitimate threat,' he said. If we accept the use of IT to increase the efficiency of our warfighters, we have to ensure that our risk management keeps up with the risks.
Technology is available to substantially decrease the threats to our systems, Coviello said. 'The problem is eminently solvable. It just takes will.'
William Jackson is freelance writer and the author of the CyberEye blog.