CIO Council goes on offense

With time running out before the new fiscal year begins, the CIO Council

plans to issue two memorandums within the next two weeks to agencies and

Congress that urge putting in place policies that would better secure government

computers.

One memo will require agencies to establish a relationship with the

Federal Computer Incident Response Capability (FedCIRC), which disseminates

information about and coordinates responses to cyberattacks across civilian

agencies. The other will be an open letter to Congress — but aimed at the

appropriations committees — emphasizing the importance of funding cross-government

security initiatives in the 2001 budget.

The council wants to issue the memos, especially the plea for more

security funding, as soon as possible to take advantage of the time left

before the next fiscal year begins Oct. 1, officials said.

"If we don't get [the funding memo] out in the next week or so, we lose

a lot of the opportunity" to secure funding, said John Gilligan, co-chairman

of the security committee and Energy Department CIO. Congress returns from

recess after Labor Day and will be pressured to finish up the appropriations

bills so that members can return home to campaign.

The memo to Congress will request that the appropriations committees

support about $40 million in security initiatives, including FedCIRC, a

team of security experts at the National Institute of Standards and Technology

that will serve as a resource to all agencies, and continued leadership

from the Treas- ury Department for governmentwide public-key infrastructure

efforts.

The council wants members of the appropriations committees to understand

that the funding choices they make will affect many more agencies than just

the ones that each committee has authority over. Attached to the memo will

be a host of supporting examples and explanations as to why a single agency

is taking action on behalf of the rest of government and the ramifications

of not receiving funding, Gilligan said.

A lack of funding so far from the appropriations committees has been

the No. 1 topic at many gatherings of government security professionals,

said Dave Jarrell, program manager of FedCIRC at the General Services Administration.

Many agency officials have become frustrated and see this memo kick-starting

their efforts again. "It will get the attention of all the agencies if and

when Congress takes notice and starts funding these initiatives," he said.

"I think that this is going to be a crucial step."

The money sought for FedCIRC also will support the second memo the council

plans to issue, which sets the stage for full dissemination of information

and response to cyberattacks across government and within each agency.

This memo requires agencies to link into the FedCIRC network to ensure

that every agency receives warnings, software patches and other information

from the organization and also to ensure that agencies report any anomalous

incidents back to FedCIRC. That will provide a full view of incidents across

government.

"We're trying to get people to look at the bigger picture," Jarrell

said. "We want people to realize that if they have a piece of information,

it may be of little significance to them, but it may be of great significance

to the government."

The memo also requires agencies to establish a formal process for disseminating

FedCIRC information throughout their organizations and reporting to FedCIRC

that information has been distributed. This will shorten the time it takes

for agencies to coordinate responses to attacks and is key for incidents

like the "ILOVEYOU" virus, where "minutes made a difference," Gilligan said.

With the two memos, the council, FedCIRC and the other government security

organizations are trying to instill procedures that will change the culture

of government and raise awareness of the steps that must be taken to keep

their agencies secure. "We have to get people into the habit of embedding

security in their daily practices so that they're not even thinking about

it," Jarrell said.