What Should WH Cybersecurity Coordinator’s Job Description Look Like? One Man’s View

About this series: In a paper he wrote and published before President Obama’s announcement regarding the creation of a national cybersecurity coordinator, Ariel Silverstone, a CISSP and former member of the Israeli Defense Forces, put forward his thoughts about the necessity of having a chief security officer for the United States. In this second installment, he discusses where he sees the CSO role fitting in, and the core “Three Tenets” he sees as critical to success in this role. Silverstone also lists his vision for the next 6 (of 23) tasks that he sees as essential for information security in the United States.

READ PART 1: Mission Impossible? A Plan to Secure the Federal Cyberspace

PLACEMENT AND REPORTING STRUCTURE

This position will bear responsibility for the entire civilian government. Placing it within the Department of Homeland Security (DHS) sends the wrong message that the other agencies would not have to abide by its decisions. Further, in Industry sectors that are not traditionally related to defense, a conflicting set of requirements, such as those from the Department of Commerce, may exist.

To send a uniform, measured and coherent voice, I believe that this position should exist within the Executive Office of the President. Just as the nation’s chief information officer (CIO) and chief technology officer (CTO) co-ordinate efforts from that office, so should the CSO, working closely with his peers, to the breadth of the civilian government. The Office of Management and Budget (OMB) will be one ideal place for such an endeavor, where the functions of the office can physically take place.

Day-to-day oversight of this position should be given to the chief of staff, however, and the person should report directly to the President of the United States in regards to progress on all urgent, tactical and strategic plan tasks. Additional oversight is provided, of course, by the system of government we call Checks and Balances that allows the United States Congress to demand reports and performance of certain tasks.

As we have learned lessons during the time passed since the creation of this position at the Department of Homeland Security, this position must have at its disposal a federal purchasing authority. The ability to make budgetary decisions, for specific and for government-wide tasks, not only for efficiency but also especially for the ability to affect performance, is essential.

Budget

Since cybersecurity is an evolving challenge, and since we are addressing different time horizons here, we must ask Congress to allocate a multi-year budget to this opportunity. The sheer size of the challenge demands the ability to focus on proper solutions, whether short- or long-term, and discourages a quick-fix approach.

THREE TENETS

I propose to organize this Herculean effort upon three tenets. These pillars reflect my belief that this is not a job that can be done by one person alone. This role must be supported by an organization, and by the office where it belongs. As I described above, this role’s scope is beyond the federal agencies alone. The constant sharing, update, testing, verification and enhancement of the data needed and generated by this role is essential and mission critical.

Public/Private Collaboration

For collaboration to work, a real two-way sharing of ideas is needed. Due to hard and excellent work of many generations of security professionals, the United States government employs some of the brightest minds in the field of information security. The research and development done is paid for, and is done to the benefit of all our citizens. Likewise, innovation is usually seen as the purview of private industry. From Silicon Valley to Syracuse, smart and entrepreneurial men and women have invented and thought, in non-traditional ways, of solutions to problems that are faced by all information users, regardless of the source of their paycheck.

In many countries, sharing of progress is a self-understood, defined, and deeply ingrained process. I propose the official increase of the sharing efforts already done on our shores:

Task 6: Create an Official advisory board of industry and government luminaries to advise the Chief Information Security Officer in his or her duties.

Further, why not utilize the formal organizations within the government, even within the Defense and Intelligence agencies, to advise and test the protective measures, electronic and others, which sensitive industry has in place? While the legal framework for performing such action has to be clarified, doing so will pit the best-of-the-best “red teams” versus the most important private sector data and that data’s guardians. Only improvement can come out of such effort.

While I clearly anticipate that this plan will generate a lot of consternation within the reading audience, I sincerely believe that other countries (China, Israel, France, to name just a few) are already, and have for a while, used exactly this type of sharing to the betterment of their nation, and the possible detriment of ours.

Task 7: Recommend legislative changes, where needed, to allow utilization of public capabilities to test and enhance defenses of sensitive industries

Information Sharing

The term “information sharing” is not limited to testing of a sector’s capabilities. The Federal government should monitor for directed attacks targeting sensitive industry sectors and both warn targeted companies and participate in the sector’s defense. Actively participating in a defense of a pharmaceutical company under electronic attack is not different than assigning an anti-aircraft missile battery to guard the same company’s buildings against bombers. Actively warning a bank against a targeted attack is not different than assigning police personnel to guard the bank’s entrances.

During the horrific attacks on 9-11, the terrorists targeted some of the most visible symbols of United States pride. The twin towers, standing tall in our most visible city, represented to some the wealth, reach and power of our United States. The Pentagon represents the might and force of our military power.

Imagine what would have happened if the targets in New York City would have been slightly different: What if the New York Federal Reserve Board, with its wealth of nations in gold bullion, was hit? What if a certain data center “hoteling” point was targeted?

These are not rhetorical questions. These are real, soul-search demanding questions that should be researched, addressed, and protected. The loss of life answer will not be easily known. The financial and transactional loss, and with it, the following damage to our nation (and indeed, the global economy) would have been disastrous.

Task 8: Demand disaster preparedness and business continuity programs will be developed, maintained, tested and updated by all identified sensitive sectors, with the aid, support and verification of the United States government.

As the task above, while obvious in its necessity to most, is costly, I urge that a public debate on its priority, essential nature, and cost mitigation, shall take place. I expect this task to be a very hard “sell” to many elements in the private sector.

Since more and more of our information business is handled by companies and networks that are global in reach, I would recommend a more active participation in worldwide standards organizations. Chief among those is the International Standards Organization, the ISO.

Some of the excellent work performed in the United States, for example, in the fields of disaster recovery, be it covered under Continuity of Government (COG), Continuity of Operations (CoOP), or civilian data recovery (for example, the work by the Disaster Recovery Institute), can contribute vastly the developing International Standard that will come out of the British Standard (BS) 25999. Likewise, the International Standard 27001 and its related family can be applied to global organizations. These standards are easily audited and have the additional benefit of more easily available people resource to implement.

I applaud the National Institute of Standards and Technology (NIST) participation in these efforts, and in particular in the excellent work done on revision 3 (draft) of the NIST Standard and the revision’s “Introducing a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards including an updated mapping table for security controls in ISO/IEC 27001“

Task 9: Champion, with the National Institute for Standards and Technology (NIST), the United States’ participation and Leadership in worldwide Standards Organizations.

No discussion of information sharing will be complete without mention of the Information Sharing and Analysis Centers, the ISACs. The theory behind the creation of the ISACs was a sound one. The execution of most ISACs, however, is anemic at best.

The funding for programs which contribute to the ISACs, such as through DHS’s National Protection and Programs Directorate (NPPD) and/or Information Analysis and Infrastructure Protection Directorate (IAIP) (formerly including the National Infrastructure Protection Center (NIPC)), has been not only sporadic, but frequently in doubt from one budgetary year to the next. We must change this now. National Infrastructure Protection is no less important than Civil Defense. Collaboration within industry groups must be immune from anti-trust laws, and allowed to be, or even demanded to be, free-flowing, continuous, and documented.

Task 10: A documented knowledge-sharing effort must be funded for critical industries. This effort should be coordinated and protected by legislation so thoughts and information will be free flowing.

Directed Research

“Information protection” does not define a fire-and-forget attitude. Constant research and betterment of our posture, defensive as well as other, is essential to our economic survival. The federal government should take its rightful place as the champion, supported and demander of par-excellence education, research and development of information security tools, techniques, procedures and understanding.

We should invest in centers of excellence within schools, from the high-school level to universities, which will encourage awareness of information security. Awareness is foundation to all information security efforts. Without awareness, we shall surely fail.

We should contribute to the development of nuclei of understanding and to the clusters of knowledge that will operate within research universities. These clusters will encourage thinking about information security problems and solutions, and will, most assuredly, enhance further the economic success of the United States by providing generations of scholars.

We should consider the formation of a cadre of thinkers, following in the example of AmeriCorp, available to advise the government and industry, on best and future practices in the realm of Information Security. This would be a substantial expansion of the National Science Foundation (NSF), the Office of Personnel Management (OPM) and the Department of Homeland Security’s Scholarship for Service.

Task 11: Work together with the Department of Education and Congress to develop scholarships, curricula and mentoring abilities made available to public and private institutions to enhance learning within the field of Information Security.

In the third (and final) part of this paper, to be published next week, Silverstone will continue his discussion and focus on the timelines and responsibility he sees for the government, academia, and industry in the fulfillment of the promises of this position.