Mission Impossible? A Plan to Secure the Federal Cyberspace

Security expert Ariel Silverstone looks at what is needed to truly secure the online systems used by the federal government. Does Obama's plan measure up? (First of a three-part series)

About this series: In a paper he wrote and published before President Obama's announcement regarding the creation of a national cybersecurity coordinator, Ariel Silverstone, CISSP, put forward his thoughts about the necessity of having a chief security officer for the United States. In this first installment, he discusses the need he sees for the role, his idea of placement, timetable, and the CSO's role definition. Silverstone also lists his vision for the first (of 23) tasks that he sees as essential for information security in the United States.

Numerous people have stated over the years that the federal information security sphere is an unmanageable creation. A creation with "too many fathers," conflicting priorities, political red tape and one that is far too big to grasp. While these are all valid criticisms, a leader with the proper drive, resources, and ability to build consensus and harness collaboration would be able to reach and maintain manageability of this sphere. [Related: Why the Top U.S. Cyber Official is Losing Sleep]

What follows are my thoughts on how to do so. This task is a hard one. No single person can do it alone, and the leadership to form and coordinate the right combination of public and private partnership and a sense of common mission are essential to the task.

No single thesis, however lengthy, can encompass the whole spectrum of challenges. While comprehensive, this essay is not meant to contain the detailed solution to the problem. I do, however, list some of the measures that I think are necessary, and highlight some of the difficult paths that must be crossed to reach that desired outcome: a well-secured information realm, where the business of our civilian government can be maintained and operated with minimized risk and greater efficiency than the currently-employed model.

The 20th Century was largely seen as The American Century. As the world was reaching the end of the industrial age and the information age was coming into its own, people, including myself, came unto these shores seeing America's unlimited horizons in our future. America's greatest asset has proven to be our enhanced knowledge that information, and information technology has provided us. The strategic advantage this information provides allows us to lead in advanced research, bringing us vast wealth, but also vast problems. We are the most spied-upon country in the world.

HOW? Government Accountability Office (GAO) recommendation to "make the federal government a model in cybersecurity."

Information security management is impossible in a vacuum. We must build on four decades of lessons learned and establish our practice using the best available minds to assure our leadership in information security. After reviewing some of the vast amounts of data available, it is only fitting to echo the

While not new, I propose three principles to the organization of the national cybersecurity effort. These tenets are public/private collaboration, information sharing and directed research.

Some of the ideas put forward in the 2003 National Strategy to Secure Cyberspace document (NSSC-2003) are worth following; however, I do not agree with the prioritization nor with some of the stated goals. The reader will find further information on this statement in the following sections.

WHEN? 5 Must-Do Cyber Security Steps for Obama]

One of the issues that continually hamper remediation efforts is that an equal sense of urgency is placed on all of the efforts needed to advance good cybersecurity. While a sense of urgency is appropriate to cybersecurity, we must organize our efforts into several priorities. In broad strokes, let us break down the categories into: Known and dangerous vulnerabilities which present imminent risk will become part of the Urgent Plan; Quantified goals and design methods to address these would be put into the Tactical Plan (three-year); and longer reach opportunities, especially those which require new investments, additional planning, and are known to require a longer period of time would become the heart of the strategic plan (five-year). [Related:

It is pragmatic and wise to divide and conquer the problems according to their risk, the amount of investment, and time required to achieve a true change. The priorities established in 2003 Cyberspace have changed because the situation has become highly fluid. Further, the rapidity with which events are presenting themselves has outpaced our ability to foresee and address them in a properly deliberated and cogent fashion. It is evident that there are cybersecurity must be addressed in the here-and-now and those challenges which can be placed into a well defined time table are to be dealt with in a thorough and well monitored fashion.

WHOM? 2003 Cyberspace and the GAO's findings that collaboration with industry is the key to a successful solution to this complex and ever-evolving challenge.

It would be beyond foolhardy to imagine that a government, even as powerful, large and resourceful as the government of these United States, can do everything that needs to be done on its own. In this aspect, I would adopt both the

In the following pages, I describe an expansion on what I believe as the essential steps that must be taken, and with whose assistance. One point that must be made: Government-private-sector cooperation will have to be a two-way street. The government must lead and contribute, and the private sector must respond in kind. Ideas on collaboration, including issues, forums, relations and timings are covered in this document.

WHAT?

As the current debate raging on Capitol Hill, and elsewhere, shows us, there is tremendous interest in the roles of this position. This position, which in effect is the Chief Information Security Officer of the United States, requires careful definition. Particularly the position's scope, its place within the Administration, and its reporting structure must be well thought-out. Additionally, this official's role in determining the information security facet of the Budget should be clearly specified. This paper addresses my vision for this position -- what I believe would be required in order to deliver on a scope defined herein.

ROLE

The person entrusted with securing the information essential to our United States should have a clearly defined role. This role should not generally change between one Administration and another, and consideration be made as to making this official have a term appointment, and should be flexible enough to evolve as the threat scenario changes.

Allow me to clarify that the term "information security" is not identical to "IT security." The responsibility of this job is much bigger than protecting the computer infrastructure. The reference here is to any information assets, which may include, for example, physical protection of Internet Peering Points; Business Continuity and Disaster Readiness; strong authentication and other methods to mitigate the human factor; and Standardization of what is applicable for use in solving repeatable process. The examples are long and varied, the important part is that this comprehensive approach is understood and addressed.

There are at least two focal points for this role.

Firstly, this person should set the rules, policies and standard of diligence for all Federal agencies (excluding the Defense and Intelligence Community.) In this first role, the person is acting as the Chief Information Security Officer for the Federal Government; and as such, agency CISOs should have dotted-line responsibility to this office. This role will also should an advisory capacity to help define the roles of other agency Information Security Officers. Additionally, this person is also the one to represent the civilian Federal government in its relationship with the public, with industry, and with the intra-governmental transactions.

The second focal point for this role is acting as the guardian of the civilian information infrastructure in the United States. In this role, the responsibility to provide guidance and protection to our varied Supervisory Control and Data Acquisition (SCADA) systems, for example, is a major responsibility. The SCADA systems, while owned and managed by private industry, are depended upon for the delivery and smooth and efficient operation of large part of the Government services delivery to our public. Clearly, a strong relationship is demanded here with private industry, with the public, and with academic institutions to deliver on the requirement of this role.

SCOPE DEFINITION

The time has come for a line has to be drawn in the sand. What are the relevant systems, locations, networks, people and reach of this role? This question must be answered.

In detail found further in a section below, I believe that one of the responsibilities of this role, one necessary for the person to perform his or her duty, is the definition of scope. Clearly, this paper is too narrow to define all the tasks that need to be performed. However, statements are made in an abbreviated form covering a subset of them. The number assigned to each task does not necessarily refer to the task's priority.

Task 1: Assign all civilian agencies a date by which their systems, networks, locations and boundaries (at the topological layer) are fully defined and that this definition communicated to the office of the CISO. The meaning of this task is the establishment of the exact content needed to be collected; the format in which this communication is to take place; whom, at each agency, will be responsible for the assembly and the collection of this data; and how the data will be updated and maintained when collected.

Task 2: Define the crossover and shared points between agencies; between agencies and the public; and between agencies and non-civilian governmental entities.

Task 3: Inventory the information protection assets that exist within each agency. This task refers to all resources -- from personnel to tools, etc.

Task 4: After successful completion of tasks 1 through 3, define the criticality, arising from either mission need or data sensitivity, of each and every system and data asset in a manner similar to Department of Defense classification level, and further specified in FIPS Publication 1999.

Task 5: Perfect the definition of information protection assets to include critical and important non-governmental resources that must be safeguarded.

In the second part of this paper, to be published next week, Silverstone will continue his discussion and focus on the CISO's role scope definition, budget concerns, and detail his three tenets, highlighting the importance of Public-Private partnership.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.