Duties of infosec czar are hot topic

Duties of infosec czar are hot topic

BY WILLIAM JACKSON | GCN STAFF

SAN FRANCISCO'Federal officials are struggling to define information security and what the responsibilities of an infosec czar should be.

'This is actively being debated in the administration,' said Daniel J. Knauf, chief of the National Security Agency's Office of Policy and Corporate Support. 'I would expect some decisions, probably in the form of an executive order, in the not too distant future.'

Knauf and others from NSA spoke at the RSA Conference 2001 last week. NSA, which once shunned public exposure, now frequently takes part in public forums such as the one sponsored by RSA Security Inc. of Bedford, Mass.
'For high assurance, we will continue to build our own,' said Brian D. Snow, technical director of NSA's Information Assurance Directorate. But the government needs help from industry to secure sensitive but unclassified data, and so far the help has proved inadequate.

'Shame on you,' Snow told an audience of industry representatives. 'You should be doing it better.'

Knauf said no one is certain about the position or responsibilities of an information assurance czar'a title he said the president dislikes. But he outlined a few requirements.

A balancing act

The chief hurdle would be balancing privacy, law enforcement, national security and the economy. That makes it unlikely the job would go to an existing office, which probably would have strong ties to one or more such areas.

Snow defined information assurance as being able to trust a product's security features. He did not call for new security features but said existing ones in operating systems, applications and hardware should be better designed, tested and implemented.

The policy is to use off-the-shelf products when possible, Snow said, 'but we don't do that very often' because most do not meet government requirements. 'Through the coming five-year span I see little improvement in assurance, hence little true security.'

Snow said his pessimistic public stance is designed to get a reaction from industry; he's a little more optimistic privately.

Even so, both he and Knauf said the driving force behind the demand for better-quality security products could be legal threats.

'Lawsuits might lead to fitness-for-use criteria for software, much like ones that other industries face today,' Snow said.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected