Cybersecurity slowly has been getting the attention of the non-technology leaders over the last decade. But it’s been the creation of the White House’s cross-agency cybersecurity priority that seems to be driving that message more clearly home.
Andy Ozment, senior director in the White House’s Cybersecurity Coordinator Office, said Thursday more budget folks understand why cybersecurity matters.
“We are using the cross-agency cybersecurity priority to drive improvements across our three priorities,” he said, during a presentation at the Information Security and Privacy Advisory Board meeting in Washington. “We are seeing improvements whether it’s with agency CFOs or the Office of Management and Budget’s budget folks. They have a more clear understanding and focus of cybersecurity.”
Ozment said the cross-agency cybersecurity priority addresses the administration’s top three priorities: strong authentication through the use of Homeland Security Presidential Directive-12 smart identification cards, the Trusted Internet Connections initiative and the implementation of continuous monitoring.
The White House in its fiscal 2013 budget request to Congress outlined 14 cross-agency priorities, ranging from job training to energy efficiency to data center consolidation.
Each has a specific goal agencies are trying to achieve. Under cybersecurity, the administration wants agencies to have implemented critical capabilities across at least 95 percent of their systems by 2014.
By getting the budget folks to recognize the importance of cybersecurity, IT folks can more easily make their cases for spending on specific areas.
For instance, one hole in agency cyber programs is in the operating systems they use.
Donna Dodson, the head of the National Institute of Standards and Technology’s computer security division, said many are stuck in a Microsoft Windows XP world and aren’t taking advantage of the security upgrades built into Windows 7 or Windows 8.
She said many times that decision has to do with a business trade off the agency is making, and getting the budget people to understand why the investment is needed is difficult.
“Sometimes when you put some of these new systems in place, you break critical applications, and these operating systems do need to be thoroughly tested,” Dodson said. “Sometimes you need to understand these are the critical applications that will break and it will not work for me, or here are the critical applications that will break, how do I fix them? Or I am going to accept that not everything I have in place today will work.”
Rob Carey, the Defense Department’s deputy chief information officer, said the military services are using an array of operating systems, ranging from Windows NT to Windows XP. He even recently visited a Navy base where in the classified area they were using green screens, meaning very early computers, with early versions of DOS or Unix-20-to-30 year old technology.
Cloud, mobile complexities
Dodson said the decision to move to a new operating system only becomes more complicated because of cloud computing and mobile devices. She said NIST is trying to help out.
“With things like bring-your-own devices to work and thinking about cloud technology, we are trying to understand not just what that device needs to do, but also the back-end enterprise and what those capabilities need to be from an infrastructure standpoint whether it’s cloud or something you have available in your own agency or enterprise today,” Dodson said. “In addition, we are looking at technologies related to operating systems, vulnerability management, configuration management and security automation as a strong underpinning for enterprises, for clouds, for mobility that really have an effect that you can support things like continuous monitoring.”
NIST also is helping with the technical pieces of the cyber cross agency priority goal in these areas.
Dodson said NIST is developing the update to the HSPD-12 standard.
“We want to give people strong tools that they can use to support both logical and physical access control using those cards,” she said. “Today, we have standard reference material agencies can buy for a small fee where you get [HSPD-12] cards and some back end infrastructure so as you are building that capability for use of identity management with logical access control you have the test background in order to make it happen.”
Around continuous monitoring, Dodson said NIST is further developing the standards based approach to security automation controls.
“Having those underpinnings in products and having that availability to support continuous monitoring is critical as we move forward,” she said.