Cybersecurity picture growing rosier?
- By William Jackson
- Dec 21, 2009
Good news about cybersecurity is nearly as hard to find these days as bipartisanship in Congress, but Mischel Kwon, former director of the U.S. Computer Emergency Readiness Team, says agencies are taking the initiative and changing the way they approach the security of their IT systems.
“A lot of people say we haven’t made much progress, but I would beg to differ,” said Kwon, who now is vice president of public sector solutions at RSA, the security division of EMC.
Kwon, in an interview with Government Computer News, pointed to programs at the departments of Justice (which she helped to implement), State, Agriculture and others in which security assessments are based on monitoring real-time conditions on networks rather than on check-box compliance. One of the most encouraging aspects of these developments is that they are being done from operational budgets, with no new cybersecurity appropriations.
“To think that they did this with no cyber dollars,” she said. “That’s really positive news.”
Kwon was deputy director of the Justice Department’s IT security staff, where she helped to deploy the Justice Security Operations Center and was the department’s Trusted Internet Connection lead, before being named to head US-CERT in June 2008. She left that post to join RSA in August of this year.
The year at US-CERT “really informed me,” she said. “Not so much on technical things, but on the people part of it. I realized that security is more of a people and process problem than a technical problem.”
She said the cyberthreat landscape is not necessarily getting worse, but it is getting bigger as we become more dependent on our information systems.
“The increase we see is in the use we are making of IT,” she said. “Of course, we’re going to see more attacks on IT.”
Because of the increasing dependence on information, information security is moving out of the IT ghetto and is increasingly being seen as a business issue. IT security staffs no longer are just the bad guys whose job it is to say “No.” They now are seen as providers of vital information. “I think this is healthy,” Kwon said.
This shift in attitude is what led Justice to create the JSOC and use it to measure security based on actual network conditions rather than on compliance with the Federal Information Security Management Act. This is an approach advocated by many critics of FISMA, who complain it has become a checklist exercise that has done little to improve the security posture of government systems.
But Kwon is cautious about advocating changes in the legislation. Changes—more in the nature of fine tuning than a major overhaul—are needed more at the level of the Office of Management and Budget than in legislation.
“We have made a lot of good advances with FISMA, and we don’t want to throw away the baby with the bathwater,” she said. “It is the implementation that needs to be changed. It should be informed by current attacks.”
The next challenge in improving cybersecurity is to improve cooperation and information-sharing among agencies and between the public and private sectors, she said. “I’d love for there to be more collaboration. That would be my Christmas present for next year.”
William Jackson is a Maryland-based freelance writer.