The reason is simple: agencies have finally moved beyond the need to understand why cybersecurity is important.
Andy Ozment, the assistant secretary of the Office of Cybersecurity and Communications in the Homeland Security Department, said in his 15-plus years in federal cybersecurity, this is the first year raising awareness isn’t necessary anymore.
“From all the breaches that have been in the news to what companies are seeing on their own networks and their understanding about the risks they have to manage, this is the year, it seems to me, that people recognize cybersecurity is important and cyber risks are risks they have to manage,” said Ozment, in an exclusive interview with Federal News Radio. “I think that is a big change this year.”
The idea of managing cyber risk is part of a growing expertise across government.
DHS, which is leading the operational side of the civilian agency cybersecurity effort, has several initiatives underway to help agencies do a better job at understanding and mitigating risk.
Ozment said his office’s goal is to create a scorecard to measure agency progress in securing its systems.
“That’s a tough thing to do. Nobody has cracked the code — the public sector, the private sector, other governments — you name it. No organization has said we know exactly how to measure cybersecurity, and we’re not going to get all the way there,” he said. “I think we can have a scorecard or a dashboard that gives us reasonable confidence that we know how secure a department and agency is.”
Several metrics already in use
Ozment didn’t offer more details on what the scorecard would look like, but the development of it would depend on several ongoing initiatives such as the continuous diagnostics and mitigation (CDM) program, the continued expansion of the Cyberscope tool and potentially a new law to update the Federal Information Security Management (FISMA) Act.
The White House is measuring agency cybersecurity as part of its cross-agency performance goals. The administration measures the progress of agency implementation of the Trusted Internet Connections, continuous monitoring and the use of smart identification cards for computer and network access under Homeland Security Presidential Directive-12.
In the latest progress report for the third quarter of fiscal 2014 on Performance.gov, the White House reported 64 percent of all agencies are using strong smart card authentication to log onto their computers, 92 percent of all agency Internet traffic passed through a TIC portal and 91 percent of all agencies have implemented the TIC capabilities. The administration also reported 88 percent of all agencies met the device discovery process part of continuous monitoring.
The Office of Management and Budget, the White House Cyber Coordinator and DHS also are holding cyberstat sessions with agencies as a way to measure progress in securing systems and networks.
Beyond cyber metrics, Ozment said another priority is around cyber information sharing. He said DHS receives a ton of data about cyber attacks and vulnerabilities, and the goal is to share with the private sector more easily.
“The private sector has the option of sharing information with the government. It’s entirely voluntary, but a lot of companies are patriotic and want to help the greater good and contribute to the nation’s cybersecurity. Dr. [Phyllis] Schneck’s (DHS deputy undersecretary for Cybersecurity and Communications for the National Protection and Programs Directorate) vision is that we have information coming from the government, information coming from the private sector, let’s make sure we put the information together and draw new insights from it.”
A more operational role
A third priority is the continued implementation and adoption of the cybersecurity framework to protect critical infrastructure that came from President Barack Obama’s February 2013 executive order.
Ozment, who came to DHS in March after spending nearly two years working in the White House’s cyber coordinator’s office, said overseeing the operational side of the policies he helped develop gives him more confidence in the government’s cyber progress.
“Fortunately, I think we did a pretty good job,” he said referring to the policy development. “It’s exciting for me because I’m seeing the people who are on the ground really making a difference every day. Whether it’s engaging with a private sector individual who needs to understand how to manage their company’s security risks, or whether it’s running the Einstein system to help protect a government agency, the people inside my organization are making a difference every day in cybersecurity where it counts.”
Ozment said the biggest difference in the roles is how hard he pushes agencies. While at the White House, he said he had to push agencies further and faster to defend their networks. Now at DHS, he has to find the right balance between pushing the ball forward but staying within the resource limitations that every agency faces.
“We are focused on helping our customers, departments and agencies understand and manage their risks, meaning we give them information about where there are vulnerabilities, what the threats are, who the bad guys are and what they are trying to do, and what are the potential consequences of an incident,” he said. “Then we help them with enterprise capabilities like the Einstein system to detect and stop the bad guys from breaking in, like the continuous diagnostics and mitigation program, which will give the departments and agencies a tool to better manage their networks and to ensure their devices and systems aren’t vulnerable.”
Ozment said DHS is also measuring and motivating agencies.
“We are measuring them in the sense that we are assessing where they are with respect to security. We’re motivating them by helping them understand how much further they need to go. And when appropriate and necessary, helping the White House understand where agencies are so the White House can get involved if an agency falls behind,” he said. “The final thing we are doing is we are working with agencies to reduce how often incidents occur and the impact of any incidents that do occur.”