As President Bush prepares to leave office, the task of upgrading the security of federal information systems to deal with new cyberthreats continues to be very much a work in progress.
Several key federal cybersecurity initiatives launched during the Bush administration -- some in direct response to the Sept. 11, 2001 terrorist attacks -- are still years away. A few other initiatives are closer to completion but still don't do enough to protect federal networks and systems against increasingly sophisticated attacks from cybercriminals and nation states.
Fixing the situation will require the next administration to focus not just on completing the initiatives that are already under way, say security industry representatives. It also means increasing attention to issues such as collaboration between the public and private sectors, as well as a greater willingness to use the government's buying power to force change among vendors and service providers.
Crucial too is the need for the Obama administration to stop tying federal cybersecurity responses so closely to the broader post-Sept. 11 war against terror, said John Pescatore , an analyst with Gartner Inc. "The terrorist attacks of 2001 sent the Bush administration in the wrong direction," on the cybersecurity front, Pescatore said. There's been too much of tendency to view cyberthreats in the same light as physical terrorism threats and to respond to them in the same manner. In the process some of the more immediate threats to government data and networks have been somewhat overlooked, he said
Work in Progress
Despite some of the challenges, progress has been made, says Karen Evans , who serves as federal CIO in her role as administrator of e-government and IT at the Office of Management and Budget (OMB). She said there are several initiatives launched over the past few years that are already making, or will soon make a difference.
Top on Evans' list is Homeland Security Presidential Directive-12 (HSPD-12) of August 2004, under which federal agencies are required to issue new smart card identity credentials to all employees and contractors.
Agencies were supposed to have completed issuing the so-called Personal Identity Verification (PIV) cards by the end of last month but most are nowhere close to that goal and will require at least two more years to fully implement the mandate.
The initiative, a response to the Sept. 11 attacks, will result in much better identification and authentication of all individuals with access to federal systems and buildings, Evans said. It will also enable better security otherwise -- such as providing a second form of authentication -- for online services and teleworking, she said.
Other initiatives Evans noted include the recent upgrade of federal networks to more secure IPv6 protocol and the ongoing Trusted Internet Connectivity (TIC) effort , under which all civilian agencies are working to reduce the number of external Internet connections in place.
The TIC effort was launched in November last year as a way to reduce government-wide exposure to Internet-born risks and will result in the government reducing the number of external links it has from 4,300 to 100 over the next two years.
Evans also noted the Federal Desktop Core Configuration (FDCC) project, which is aimed at reducing procurement costs and bolstering security of desktop environments by requiring agencies to implement standard security configurations on all of their Microsoft Windows systems.
Earlier this year, President Bush also put into motion a highly-classified, multibillion-dollar Cyber Initiative that is supposed to bolster the nation's ability to detect and respond to cyberthreats against critical infrastructure targets. Relatively few details have been publicly disclosed about the effort, and with the National Security Agency (NSA) involved the initiative has spooked many, including some in Congress.
Despite fears, the initiative is being seen as an important, if somewhat belated, recognition by the federal government on the need for concerted multi-agency efforts to deal with cyberthreats on a national scale. Tom Kellerman, vice president of security awareness at Core Security Technologies, said it signals an "awakening in D.C" about the need for policy, procedures and presidential involvement in cybersecurity.