Preparing for inevitable threats to security
- By Colleen O'Hara
- Oct 02, 2000
The CIO Council is stepping up its efforts to help federal managers understand
and address the challenges of protecting systems and data.
The pressure on agencies to secure their systems is growing. Agencies
are required to address security and privacy across all their systems, not
just classified ones, and Congress and other stakeholders take notice when
efforts fall short.
Perhaps the biggest issue, however, is not the public attention, but
the lack of security awareness. "Often, management doesn't understand what
their role should be," said John Gilligan, co-chairman of the CIO Council's
security committee and principal deputy chief information officer at the
Air Force. And, Gilligan said, once managers are aware, they are faced with
a dilemma: "What should I do, and how much security is enough?"
The CIO Council is sponsoring several initiatives designed to help agencies
facing such dilemmas.
The council hopes to have guidelines in place by the end of next year
to help agencies "get a better handle on risk management," Gilligan said.
Security lapses at the Energy Department have shown that agencies are not
well-versed in risk management. The practice of risk management is not just
about having the right tools in place; it's also about making informed decisions,
he said. "It's the balancing of threats, vulnerabilities and countermeasures,"
There really is no such thing as risk avoidance when it comes to security,
said Jean Boltz, assistant director of governmentwide and defense information
systems at the General Accounting Office. "In today's world, you can't eliminate
the risk. You have to manage it," she said.
With risk management, agencies must first recognize their critical assets.
"Somehow, [agencies] need to have the distinction of what's important and
what's not. Sometimes, it's not done at a refined level," Boltz said.
Agencies must also iden-tify specific threats. Paul Kurtz, director
of trans-national threats at the National Security Council, said this is
often difficult. "We don't know if it's a bored teen at home or a nation-state,"
he said at the E-Gov Information Assurance Conference last week in Alexandria,
Va. "We can't immediately identify where the threats are coming from."
The CIO Council plans to develop benchmarks to help agencies determine
what security is adequate for electronic services. The benchmarks will cover
three primary areas: Web-based information services, financial transactions
with the public, and government/industry procurement.
"We want to help guide [agencies'] efforts to secure electronic transactions,"
Gilligan said, adding that the public expects more from gov-ernment. "Expectations
are very high. We realize when a Web site is hacked, it's a big deal."
Coordination is also important. This month, the council plans to finalize
a letter to agency CIOs identifying the role of the General Services Administration's
Federal Computer Incident Response Capability (FedCIRC) and the responsibility
of CIOs within agencies to work with FedCIRC. FedCIRC is the civilian government's
cybersecurity warning and response center.
The letter will require CIOs to establish a way to disseminate warning
information received from FedCIRC and forward any vulnerability incidents
to FedCIRC so that the government can collect that information in a single
place, Gilligan said, speaking at the E-Gov conference. The committee wants
to "make sure" that agencies have the ability to share that kind of information,
It makes sense for agencies to spread the word on viruses and other
vulnerabilities, Boltz said. "The "ILOVEYOU' virus provided a good lesson.
If the first entity in government can get the word out to others in a hurry,
it can save a lot of trouble for everybody," she said.