- Forrester Councils
- Councils Overview
- log in
Posted by Andrew Jaquith on May 29, 2009
This morning, US President Barack Obama unveiled the outlines of a change in direction for US cyber-security policy. The first announcement relates to the creation of a new military command that will centralize and expand on existing cyber-war-fighting capabilities. This is overdue, and should bring more coherence to efforts that were already spread out between several different military branches, notably the Army, Navy and Air Force), and the intelligence services. The NSA, for example, has long had a “red-team” offensive capability in addition to defensive corps. As I understand it, the new military cyber-command will reside in the Department of Defense. Less clear is whether the new organization will just be a military operation, or whether it will also take over parts of the intelligence services’ capabilities.
The second part of today's announcements, the Cyberspace Policy Review, seeks to reform the way the US Government secures itself, its agencies and critical infrastructure like the stock exchanges. As reported in a story in the New York Times, the reforms will create a new office residing in the White House that will report to both the National Economic Council and the National Security Council. The remainder of this blog post analyzes what the plan, which was unveiled at 11 today, recommends.
But first, a little background. Most security-watchers know that the last big attempt to improve government security was FISMA, the Federal Information Security Management Act. The Act codified an approach to protecting government systems. It required all federal agencies to assess the risk of their information systems, implement minimum baseline security controls as defined by NIST, and most critically, certify and accredit that each agencies' systems had in fact implemented the required security controls. The tangible outcome of the process was a related “scorecard” exercise undertaken by the House Oversight and Government Reform Committee. The idea was to give letter grades (A through F) to each agency.
In theory, this sounds like a good idea. In practice, it did little to improve security. The evidence is everywhere. We've all read the reports in the news about perfidious Chinese hackers, opportunist Ruskies and the like snooping around federal systems and systematically looting them of all their treasures. The picture painted in the press is of a government whose variously-accredited and certified systems are nonetheless wide-open to hackers. While it's hard for most people to get a real sense of the scope of the problem from the papers, people I've spoken to who do government contract work for a living tell me that the stories we've seen are just the tip of the iceberg. And on a personal note, I can tell you that in my past I've helped investigate an incident involving an attack on a military weapons program by foreign attackers. So the dangers seem clear and present to me.
So, what's wrong with FISMA, and what does this review address? In my view, FISMA serves a useful function because it defines how the risk assessment, control selection and audit processes are supposed to work at a federal level. This is a good, but it is important to remember that FISMA is mostly about compliance with a security program and its processes, and not about the effectiveness of the security itself. Practically speaking, what FISMA and the annual House scorecarding ritual did was:
And beyond FISMA, the current approach did not:
The review recommends the following 10 actions, which I have reprinted and lightly edited:
Overall, there is more to like about the Cyberspace Policy Review than dislike. It correctly shifts the emphasis from process to outcomes, and makes pragmatic recommendations on how to remove barriers to getting things done. This is all good.
For Forrester customers in the commercial and private sectors, the Cyberspace Policy Review will not mean much in the very short term. The document merely recommends changes to the direction of future US policies. We are a long way off from seeing legislation that would obligate enterprises to do anything differently than they are doing today. However, over the medium term the recommendations will inform policy decisions lawmakers must make. As a result, I expect the private sector can expect:
Overall, the document signals quite clearly that our previous approaches were not working. One might say that Hope — something President Obama campaigned on — will not be sufficient when to comes to cyber-security. Ironic, no?
I'd recommend you read the Cyberspace Policy Review yourself to draw your own conclusions. It is about 75 pages, and not a difficult read. As always, I value your comments and e-mails.
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »