Guarding Networks
Heightened awareness about the sorry state of cybersecurity might be just what chief information security officers need to finally be heard.
This has been a career-changing year for federal chief information security officers. High-profile cyberattacks - such as hackers stealing data on the Pentagon's F-35 high-tech fighter jet - have increased criticism from Congress and the White House about how computer systems and networks are protected. That's turned the white-hot spotlight on CISOs and how they do their jobs.
And that's a good thing, these chiefs say.
"We've seen heightened awareness, where people are starting to understand what cybersecurity is and what bad things can happen," says Pat Howard, head of information security for the Nuclear Regulatory Commission. "I hope that will increase the visibility of the CISO, and more importantly, the IT security program. We're getting traction."
But that hasn't always been the case. As early as last year, CISOs complained that they, and their charge to protect government systems, just weren't getting attention and support from senior managers and politicians. "How do you take control when you don't maintain clear authority to make decisions? That stymies processes," Larry Ruffin, CISO at the Interior Department, told Government Executive in 2008. "We don't get clear approvals and don't feel empowered to make decisions that might have budgetary impacts."
In less than a year, lack of authority is no longer a complaint. More than half - 57 percent - of CISOs say their decisions have a significant impact on the security posture of their agencies, according to a survey conducted by the International Information Systems Security Certification Consortium (ISC2) during the first quarter of 2009.
Congress has begun to take notice of CISOs as well. In May, the Senate asked federal CISOs for feedback on the 2009 U.S. Information and Communications Enhancement Act, which if passed, would dramatically elevate the security chiefs' status by establishing a National Office for Cyberspace in the White House and set specific standards for securing information systems that contractors would have to meet.
"The era for paying attention to computer security and cybersecurity has arrived," says Bruce McConnell, incoming counselor to the cyber chief at the Homeland Security Department and a former information policy chief at the Office of Management and Budget. "CISOs are in the spotlight, and with the increased visibility comes increased opportunity. The stakes are higher, but they're being heard."
Change Still Needed
Agency heads might be more likely to act on CISOs' recommendations, but security managers say they still need more support from senior management and more resources to meet shifting goals, according to the ISC2 survey.
Since 2002, federal agencies have had to comply with the Federal Information Security Management Act to certify their networks are safe. FISMA requires agencies to identify all IT systems in their organizations, determine the sensitivity of the information stored on those systems, identify potential vulnerabilities that could expose data and implement security controls.
But critics say the law focuses too heavily on certifying that systems are secure and doesn't lay out metrics for how agencies would defend the systems from cyberattacks. That's why 48 percent of CISOs said in the survey that FISMA led to real but uneven improvement in information security. Nearly one in five (19 percent) said the costs to comply with the law exceeded its benefits, and 24 percent called compliance a paper exercise that led to few security improvements.
"FISMA assumed that if you inventory systems, put them through this defined process, and then maintain the security controls implemented, you'll be OK," says Robert West, CISO at the Homeland Security Department. "But if there was any lesson learned, it's that these are pervasive, persistent, aggressive adversaries. We're going to continue to see attacks with initial successes, and we need the visibility to stop them quickly."
Those problems occur governmentwide. "We've been following the threats and then trying to counter those threats by throwing up firewalls to keep people out," says Lou Magnotti, chief information officer and former CISO for the House of Representatives. "But now we have our own people going on the Internet and bringing malicious code back with them. CISOs need to recognize that the game has changed and get better at monitoring. We need to look deep into the computer systems, deep into code, to find some of these sophisticated vulnerabilities."
CISOs could soon have the backing from Congress to do so. The Information and Communications Enhancement Act would require every agency to appoint a chief information security officer, who would be responsible for monitoring, detecting and responding to cybersecurity threats. FISMA required agencies to appoint not a chief, but a less influential "senior agency information security officer." The bill also would require the Commerce Department secretary to establish security standards, based on guidelines developed by the National Institute of Standards and Technology, for agencies to fix security holes in computer systems.
A list of performance standards could be modeled after the Consensus Audit Guidelines, which provide agencies a list of controls to stop or quickly recover from known cyberattacks, as well as examples of real-world attacks, to educate agencies about the potential risk of not securing systems, Interior's Ruffin says. The guidelines, which were released in February, were developed by top security analysts from industry and government, including the Defense and Energy departments, DHS, the National Security Agency, and the Government Accountability Office.
Climbing the Ladder
The proposed bill also would require CISOs to report directly to the head of an agency, rather than the CIO, as is typically the case now. That would mean most federal CISOs would have a new, much more powerful boss. Three-quarters of all government CISOs report to the agency CIO and the remainder report to the deputy CIO, a security director or a departmental CISO, according to the ISC2 survey.
The reporting change has received mixed reactions. CISOs should report to someone who's responsible for addressing all forms of risk and is focused on the agency's mission to ensure information security is considered in all agency initiatives, McConnell says. But other security professionals argue the CISO should report to the chief information officer to make sure information security is incorporated into IT projects at the start of development and that security receives an adequate portion of the IT budget, which most CIOs control.
"Our position has to be one of providing assistance in achieving all IT goals," NRC's Howard says. "If you tilt the balance so far that the CISO is pulled away from IT operations, the role becomes something like an IT auditor, and CISOs should not be in that position. We have [inspectors general] for that."
Magnotti, who was CISO at the House for nearly a decade before being promoted to CIO in 2008, believes chief information security officers who report to the CIO have more influence on information security than those who report to the chief executive officer or the chief operating officer. "If the CISO is outside the CIO's office, a lot of times they turn into a policy shop with not a lot of enforcement capabilities," he says. "Being on the ground level where the CISO and the CIO can work hand in hand creates a cohesiveness and enforcement mechanism that translates to better secured networks and systems." But, Magnotti adds, agencies must decide what works best for them.
The challenge for CISOs is convincing the IT department that the goal of the information security chief is not to impede progress. Magnotti, West, Howard and Ruffin say by working closely with the IT office, CISOs have a better shot at doing that.
"We're not looking for a power play. I don't think any CISO is," Ruffin says. "It's better to make cautious, incremental changes to the role itself, separate of any changes in authority. Baby steps are better than enormous, disruptive changes."
Another CISO Booster
Results of a review of cybersecurity initiatives President Obama ordered also have pulled CISOs into the top management ranks. More than 250 requirements for protecting cyberspace were identified during the review, many of which could trickle down to the agency level. Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security councils, who oversaw the review, emphasized the need for the White House to coordinate cybersecurity efforts. A cybersecurity plan likely won't drill down to the agency level, says James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. But it "will help make cyber-security a higher profile mission. It elevates it beyond the CISOs to someone with the authority to say, 'This is part of what you must do when you conduct business.' " Lewis served as program manager for the Commission on Cybersecurity for the 44th Presidency, which released a report in September 2008 suggesting how the government could secure cyberspace.
Results of the commission's review, particularly when combined with any legislation that passes in Congress, also could push OMB to work more collaboratively with the CIOs and CISOs on cybersecurity efforts and cause the White House to pay more attention, according to Lewis.
"Sometime in the last couple of years we moved from the Internet being an ornament to it being a central pillar of how government works," he says. "The problem is we haven't kept up with security, and now we're racing to get to where we need to be. I'm not going to say we're in crisis mode, because that makes it sound more dramatic than it is; but we're not in good shape either, and everyone is finally beginning to recognize that."
And CISOs couldn't be happier.