Kwon: More collaboration needed

Policy-makers and incident responders need to work together more closely to improve federal cybersecurity, the director of the office that monitors and protects the federal civilian computer network said today.

Mischel Kwon, director of the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT), said computer security policy-makers and those who respond to cyber incidents have traditionally stayed in separate worlds, and that should change. Kwon made the comments during a presentation at the FOSE trade show in Washington.

“The only way we are going to get somewhere with what we’re doing is if we move our worlds and allow this to be one security world,” she said. “We need to start getting the policy side of the house and the incident-response side of the house to be partners, and we do this through reflection.”

US-CERT, the operational arm of DHS’ National Cybersecurity Division, analyzes threat capabilities throughout government and industry, disseminates warning information, and coordinates incident-response activities.

As one of the five pillars of cybersecurity, Kwon listed reflection, which she described as the time after a cyber incident when people reassess policies, procedures and technology to prevent it from happening again. The other pillars are knowing about the threat, assessing systems’ vulnerabilities, detecting attacks and mitigating them.

“I think of security as a well-designed system, a well-built system and a well-maintained system because if you have that, your vulnerabilities are small,” Kwon said. “I really do feel that life-cycle management is the panacea for security. It is the solution.”

Kwon said it was important to prioritize threats based on the potential effects they could have on an agency's mission and get as much information about an incident as early as possible.

She also said US-CERT is expanding its workforce and improving its technical tools for visualization and increased analysis, among others.

Civilian agencies reported a total of 18,050 cyber incidents to US-CERT in fiscal 2008, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006, according to DHS officials.

“We’re seeing an increase in attacks…but we’re also much more aware that these attacks are happening,” Kwon said. “Yes, they are happening more, but we are also looking more, and when you look more, the incident rates go up.”

She added that the way incidents are currently tracked is inaccurate because agencies report cyber incidents individually even if they are part of the same cyberattack that affects multiple targets.

However, Kwon said, US-CERT is working on a new way of tracking incidents that would let the government more clearly report what is happening.

“With the new way of tracking through a master incident and mapping tickets to a master incident, we’ll get better metrics and we’ll be able to more clearly report what is happening," she said.

The 1105 Government Information Group, Federal Computer Week's parent company, sponsors FOSE.