Government's security advantage

Although there may be gaps in some federal agencies' information security strategies, agencies do have a framework that gives them some advantages over the private sector, according to a leading Homeland Security Department (DHS) official.

Government and industry face some of the same challenges in the battle to protect against cyberthreats and -attacks, said Sallie McDonald, who oversees the Federal Computer Incident Response Center at DHS.

But federal agencies have the Office of Management and Budget to provide oversight, ensuring that they comply with security legislation such as the Government Information Security Reform Act (GISRA) of 2000 and its successor, the Federal Information Security Management Act (FISMA) of 2002, she noted. McDonald was speaking March 27 at a forum conducted by The Information Technology Association of America (ITAA) on the government/industry partnership in securing cyberspace.

"We're both in the same situation," she said, but "we are being [forced] to look at what we are doing in cybersecurity and improve our posture." Securing businesses and agencies "is not a technology problem; it's a problem of people and processes," she added.

Industry could benefit from having a framework like the federal government, which sets guidelines agencies must comply with, said Dan Burton, vice president of government relations for security vendor Entrust Inc. He said talks are under way in the private sector about establishing security guidelines and an organization that oversees compliance.

While the federal government has made some headway in giving high priority to cybersecurity, it is not time to rest on "our laurels," said Rep. Sherwood Boehlert (R-N.Y.), chairman of House Science Committee. He also spoke at the ITAA forum.

"We're still not devoting anything like a sufficient amount of money to cybersecurity," Boehlert said. "And, as has been the case for years, it's hard to tell from the budget exactly what federal money is going into cybersecurity, especially into" research and development (R&D).

He pointed out that the National Science Foundation has received funding for cybersecurity, but so far doesn't appear to be implementing the Cybersecurity Research and Development Act. There must be oversight of the National Institute of Standards and Technology's security budget as well as DHS's cybersecurity efforts, he added.

Boehlert said "DHS does not seem to be organized or funded in a way that focuses sufficiently" on cybersecurity vulnerability. He acknowledged, however, that the department is still getting organized.

Moreover, he said, "The Defense Advanced Research Projects Agency (DARPA) is actually reducing its funding." He noted that in its public programs, DARPA this year will spend less than half on defensive cybersecurity R&D than it spent just two years ago. "The agency is planning to eliminate its funding for this area of research entirely," he said.

Boehlert said he was "laying out a call to arms," noting that government had the best chance ever to finally devote the resources and attention to improve cybersecurity significantly.