New legislation would give security chiefs more power

Lawmakers are crafting a bill that would significantly expand the roles federal chief information security officers have in agencies, including giving them powers to enforce security policies and test federal networks' defenses.

Comment on this article in The Forum.The bill would give CISOs the power to respond immediately to cyber threats and would also create a CISO council where information security officials could meet to share ideas and agree on best practices, much like the federal Chief Information Officers Council.

"I feel the American public is quickly losing faith in the government's ability to protect its sensitive information," said Sen. Tom Carper, D-Del., at a June 18 hearing of the Senate Homeland Security and Governmental Affairs Committee on protecting personal information. Carper's office is taking the lead on the new bill, tentatively dubbed the Federal Information Infrastructure Response Enhancement Act. Members of the federal information security community have been involved in shaping the bill, which Carper expects to introduce in September.

The bill would no longer require agencies to have the CISO report directly to the chief information officer. Instead, agency leaders would have some flexibility to place the CISO in other parts of the organization. In addition, the bill would give CISOs enforcement powers to deal with cyber threats. Currently most CISOs have no such authority; instead they must work through management to correct issues that require enforcement.

"This is a huge shift in cyber security," said Alan Paller, director of research at the SANS Institute, a cybersecurity research and education group. "CISOs now have to actually become technical security people rather than just managers. It's giving IT security managers the right to cut off users who don't follow the rules and changing [CISOs] from paper pushers to actual security."

Paller said the new responsibilities also would lead to a shift in the type of people agencies would hire to work in the CISO's office and which contractors would get jobs. "Now [CISOs] will actually be monitoring systems and making decisions in real time," said Paller, who called the proposed changes "100 percent good."

"To me it sounds like the CISO will be able to respond to violations personally, similar to physical security now," said Pat Howard, CISO of the Nuclear Regulatory Commission. Howard said the proposed reforms would provide a way to take immediate action against users who violate information security policy, whether intentionally or unintentionally, leading to a quicker response to potential threats.

The proposed CISO council would include information security officials from military, civilian and intelligence agencies, and a representative from the Office of Management and Budget. The group would evaluate, recommend and approve best practices for information security, but would leave the process of establishing standards to OMB and the National Institute of Standards and Technology.

The establishment of a CISO council is something "everyone in the CISO community has asked about, talked about and hoped for," for the past few years, Howard said.

"We're all in the same boat, in many cases the threats are the same across the government," Howard said. "Just having that formal body to meet on a regular basis and share ideas . . . would be really helpful."

The second part of the bill would set up a unit within the Homeland Security Department that would test agencies' compliance with the 2002 Federal Information Security Management Act. The new unit would feature a "red" team of government hackers that would seek to exploit known vulnerabilities in agency networks and then report back on vulnerabilities.

Howard said the idea could be useful in providing some assurance that information controls are being implemented evenly across government, an assurance he said has been lacking in the way FISMA has been implemented.

"It should provide a good perspective of how we stack up against everyone else," Howard said. "In a larger context, we could see what the government's vulnerabilities are." He added that he would hope the results would be closely guarded or classified because of their sensitive nature.

Paller called the idea of the red team "more promise than reality" because there are so many different systems in the federal government that building a red team large enough to actively test them all would prove extremely difficult.