Duties of infosec czar are hot topic

Duties of infosec czar are hot topic

BY WILLIAM JACKSON | GCN STAFF

SAN FRANCISCO'Federal officials are struggling to define information security and what the responsibilities of an infosec czar should be.

'This is actively being debated in the administration,' said Daniel J. Knauf, chief of the National Security Agency's Office of Policy and Corporate Support. 'I would expect some decisions, probably in the form of an executive order, in the not too distant future.'

Knauf and others from NSA spoke at the RSA Conference 2001 last week. NSA, which once shunned public exposure, now frequently takes part in public forums such as the one sponsored by RSA Security Inc. of Bedford, Mass.
'For high assurance, we will continue to build our own,' said Brian D. Snow, technical director of NSA's Information Assurance Directorate. But the government needs help from industry to secure sensitive but unclassified data, and so far the help has proved inadequate.

'Shame on you,' Snow told an audience of industry representatives. 'You should be doing it better.'

Knauf said no one is certain about the position or responsibilities of an information assurance czar'a title he said the president dislikes. But he outlined a few requirements.

A balancing act

The chief hurdle would be balancing privacy, law enforcement, national security and the economy. That makes it unlikely the job would go to an existing office, which probably would have strong ties to one or more such areas.

Snow defined information assurance as being able to trust a product's security features. He did not call for new security features but said existing ones in operating systems, applications and hardware should be better designed, tested and implemented.

The policy is to use off-the-shelf products when possible, Snow said, 'but we don't do that very often' because most do not meet government requirements. 'Through the coming five-year span I see little improvement in assurance, hence little true security.'

Snow said his pessimistic public stance is designed to get a reaction from industry; he's a little more optimistic privately.

Even so, both he and Knauf said the driving force behind the demand for better-quality security products could be legal threats.

'Lawsuits might lead to fitness-for-use criteria for software, much like ones that other industries face today,' Snow said.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above