Former cyber exec: Spread cybersecurity responsibilities

After just a little more than a year on the job, Mischel Kwon resigned as director of the Homeland Security Department's U.S. Computer Emergency Readiness Team, which analyzes cyber threats and disseminates warning information to federal agencies about cyberattacks. She was the fourth director at US-CERT since it was founded in 2003. Several federal cybersecurity executives beginning in the early George W. Bush administration years have resigned because of frustration over the lack of authority they had to secure the government's networks.

Kwon, now vice president of public sector security solutions for security vendor RSA, says the federal government needs to rethink some of its cybersecurity policies, including assigning too many cyber responsibilities to the Homeland Security Department and following an educational rather than a regulatory approach to improving security. "We have a good understanding where government is" in relation to cybersecurity, she says. "Now we need to look at the other sectors [of the economy] and with them understand what they need, not tell them what they need."

Kwon spoke on Tuesday with Nextgov cybersecurity reporter Jill R. Aitoro about the state of cybersecurity in the federal government, and what policies and programs could provide the best chances for success.

Nextgov: Is the new administration taking the correct approach for addressing cybersecurity in the federal government?

Kwon: The approach is still being developed. We are a constitutional government, though we often forget how that works. The fact that the legislators are drafting bills and contemplating the problem and coming up with ways to better govern and work together, is a good sign. That's a slow process and it's intended to be. At the same time, the White House is looking at how to lead the government in following legislation. People are impatient, but it's actually moving pretty quickly.

Departments and agencies are moving forward, which is actually the exciting news. These multibillion-dollar systems need to be managed and secured at the department level. I think we're seeing that happen today, which is the real win. The Justice Department is stepping up, pooling resources and using money wisely for IT and IT security. Agencies like [the] State [Department] are developing ways to make the [2002 Federal Information Security Management Act] count, and [the] Treasury [Department] is doing great life-cycle management and improving IT systems to better serve taxpayers.

Nextgov: You didn't mention the Homeland Security Department, which has seen a lot of leadership and organizational changes.

Kwon: It's a new agency, so figuring out how to work together with their many arms and components is an ongoing struggle. They've also been tasked to help in this collaboration and coordination between departments and agencies and even beyond. That's a large task. I'd say some authorities are appropriate and some are not. It's not something they can handle all on their own.

Nextgov: Has DHS been charged with too much responsibility for cybersecurity?

Kwon: I'd like to see them handle what they can, and once they do, give them more. But instead, every time you turn around, someone says, "Give it to DHS to do." We need to figure out how all the agencies fit together and spread [the responsibilities] around so it's manageable.

None of this is going to happen overnight. I laugh when people say 60 days for this or 90 days for this. This is a several-year process and will take some time to get right.

Nextgov: What are the biggest threats agencies face?

Kwon: Adversaries are mainly attacking known vulnerabilities. [Failure to] patch third-party software is killing us, because that's the hardest to patch on an automated basis. A lot of the problems stem from e-mail, with [attackers] taking advantage of a vulnerability once inside. They attack the way we use our systems, knowing we're a society of clickers that open every e-mail and surf everywhere [on the Internet]. We have to be vigilant and secure those [applications] first, then further prioritize how we clean our systems.

Nextgov: Are agencies improving their system hygiene?

Kwon: When you look at what the State Department is doing to automate the tracking of system hygiene [processes] and report back to executives, scoring how each piece of the network is being protected, that is taking the geek speak out of it and allowing the technical people to talk to executive-level management about the risks. Now we see Justice starting to deploy a new system to do the same.

I also see a lot of push for the 20 critical controls released by the [cybersecurity research group] SANS Institute, which help agencies prioritize and thwart the attacks that are happening to everyone. We need to close the holes that are biggest and most gaping.

Nextgov: Do those changes need to be incorporated into FISMA?

Kwon: This is an [answer] that will take your breath away: The legislation already includes that [requirement], and is pretty well-written, but we poorly implemented FISMA. To enable better implementation we may have to change the legislation to be more prescriptive, but I caution us to not be overly prescriptive. In the 800-53 document [from the National Institute of Standards and Technology, which lists recommended security controls for federal information systems and organizations], we trap ourselves in. We need to figure out how to be technical and not paper pushing, but at the same time nimble. That's a challenge, which requires a whole lot more collaboration than we've had in the past. I see that being written into the [bills] on the Hill, and that's promising. But that nimbleness is the key to our success.

Nextgov: Is reforming the procurement process to place more responsibility on industry to ensure the security of IT products necessary?

Kwon: We have to focus more on partnership than levying demands on each other. We've already got a lot of issues with our acquisition process -- the Federal Acquisition Regulation is now basically an unreadable document that is hard to follow. Becoming better partners with private industry and having a more free and open dialogue to allow industry to be innovative are critical to moving forward. Someday someone will take on the government acquisition process, but this isn't the time. There are other ways we can collaborate.

Nextgov: Information security of the U.S. critical infrastructure has been a big focus on the Hill lately. Are more regulations required?

Kwon: Before we move into the regulation arena, we need to consider education. Sometimes [government] looks at industry and makes a broad, sweeping statement and then moves out, rather than understanding where the industry sits in the continuum of [IT security]. IT is a relatively new strategy for [the energy] sector, for example. Moving that sector along in understanding the threats and managing security in an operational environment is something that needs to grow before we slap more regulation on them. Regulations come in time, when they're able to digest them. We have a good understanding where government is. Now we need to look at the other sectors and with them understand what they need, not tell them what they need.

Nextgov: You seem to advocate a more phased approach to information security.

Kwon: One mistake we've made in the past is to demand [agencies] to be in certain spots at certain times. But [information security] is an evolution. Rather than say, "This needs to be done in 30 days," [we should] say, "This is the biggest risk to business now, so it moves up in priority," or "This is a priority, but not as big as getting weapons to law enforcement." We need to think of IT as a piece of the business strategy rather than just another asset.