With cyber threats to government systems growing, budget woes will hamper projects to develop tools needed to monitor, evaluate and mitigate risks, DHS secretary warns.
It is no surprise that the government faces serious challenges in protecting its information systems, both because agencies are high-profile, high-value targets and because agencies lack the speed and flexibility to effectively counter rapidly evolving threats.
“We have once again designated federal information security and cyber infrastructure protection as governmentwide high-risk areas,” Greg Wilshusen, director of information security issues for the Government Accountability Office, told a Senate panel at a recent hearing.
There are some promising developments in government cybersecurity. The Homeland Security Department, which has the nominal lead in protecting civilian agency systems, is taking the initiative to help develop tools and programs that could do a better job of monitoring, evaluating and mitigating risks. But those programs are being threatened by the unwillingness or inability of Congress to effectively fund government operations.
“Sequestration reductions will require us to scale back the development of critical capabilities for the defense of federal cyber networks,” DHS Secretary Janet Napolitano told legislators during the hearing.
Napolitano offered no specifics, but with across-the-board cuts mandated under sequestration it is inevitable that worthwhile programs will be hit just as hard as unnecessary ones.
Tools being developed or advanced by DHS include the Cyberscope automated FISMA reporting systems, which leverages commercial products that use the Security Content Automation Protocol from the National Institute of Science and Technology.
There also is the National Cybersecurity Protection System that includes the Einstein intrusion prevention system. The department’s Science and Technology Directorate cooperates in the development of secure Internet protocols, and Napolitano said that DHS was a leader in the development of the Domain Name System Security Extensions (DNSSEC).
The National Protection and Programs Directorate is developing a commercial Continuous Monitoring-as-a-Service capability to deploy sensors and feed cyber risk data to an automated, continuously-updated dashboard to help agencies see and respond to day-to-day threats.
It is not government’s job to create the technology needed to secure the nation’s cyber infrastructures, and government is unlikely to ever be as nimble and efficient as the private sector in developing security products. But government certainly has a role to play in fostering development of critical tools, especially those such as Cyberscope and SCAP that address government needs.
DHS programs and their results are open to criticism, but it is taking responsibility to help provide agencies with the tools they need to do their jobs. It would be a shame to arbitrarily slash efforts that could produce real benefits.