The U.S. government is confused about cybersecurity. Federal agencies need help passing security tests, yet the government is drawn to the big problem of securing the Internet.
There is an undercurrent from government sources that the feds need to step up given the importance of the Internet as an infrastructure to our economy and society and the inability of the private sector to solve cybersecurity problems. In fact, the Cybersecurity Act of 2009, proposed in late March, starts with the assessment: "The Congress finds the following: (1) America's failure to protect cyberspace is one of the most urgent national security problems facing the country."
We have a lot of national security issues in this country and we are hardly lacking in cybersecurity issues, but the last thing we need is federal government intervention in the use of the Internet.
Recently proposed legislation moves beyond actions such as addressing the dismal performance of government agencies against the Federal Information Security Management Act of 2002, provides incentives to college students to become educated in security and forces federal statutes to be in line with the Internet age.
Federal cybersecurity efforts:
Senators hear call for federal cybersecurity restructuring: Congress is mulling over whether to give more authority on cybersecurity issues to the Department of Homeland Security or create a new office within the White House.
White House cybersecurity advisor calls for public-private cooperation: Melissa Hathaway delivered precious few details about her 60-day review of the country's cybersecurity policies and structures during her RSA Conference keynote.
Video: Federal efforts to secure cyberinfrastrucure (May 03, 2009)RSA 2009: Former White House senior advisor Paul Kurtz and James Lewis, director of technology policy at the Center for Strategic and International Studies talk about the state of cybersecurity readiness at the federal level.
The Rockefeller-Snowe bill also proposes the federal government coordinate a national strategy for private sector security efforts and set auditable standards for private sector security. Together with the Information and Communications Enhancement (ICE) Act filed by Sen. Tom Carper (D-Maine), there is great momentum within Washington for a cybersecurity official that reports directly to the president or the head of the Department of Homeland Security. However, the government is always hopelessly behind the private sector in technology, much like parents are hopelessly behind their teenagers. There are better ways for the public sector to complement the private sector.
The advent of open networking and connectivity has exposed the vulnerabilities in computer systems, yet most of the legislative dialog centers around corporate responsibilities when it may be far more effective to involve the service provider utilities as part of the solution. The initiative for a national identity and authentication service and its large civil liberties implications is a discussion that should be conducted at the highest levels. However, it seems as if the president's attention would be better served focusing on the economy.
DHS has a role to play in coordinating security of government agencies. According to the U.S. Office of Personnel Management, there were 4.2 million total federal employees in 2008, dwarfing the size of any private sector enterprise. The scale of securing federal organizations can often lead to unique and daunting solution requirements as shown by the disappointing FISMA compliance results. DHS can start by establishing an inter-agency community for securing government assets, instilling competition between agencies for security performance, and encouraging innovation and partnership with private industry to narrow the gap between government best practices and state-of-the-art security capabilities.
As recently as June, 2006, the U.S. senator responsible for regulating the Internet, Sen. Ted Stevens (R-Alaska), described the net as a "series of tubes." In three short years the government believes it has progressed from an obviously unqualified leader to the filing of multiple cybersecurity bills with goals of eradicating cybersecurity threats.
The Internet has brought unparalleled positive change in our lives -- the security reality is far different from the hype. It is not unlike society changes due to adoption of the telephone, television or transportation network that has worked without security oversight. Thus far security incidents have been far short of catastrophic. Private industry knows how to build in business resiliency, indemnify consumers, and allocate new technologies to reduce risk. The federal government can learn about managing risk from private enterprises and should avoid rushing in to set standards.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.