2008 Watch List: Security initiatives show promise

Officials express guarded optimism as milestones for major projects converge

Agencies are on schedule to reach major milestones for several security initiatives that the Office of Management and Budget launched during the past several years. As those milestones converge in the final year of the Bush administration, government security efforts will provide greater security for federal networks and agencies’ missions, security experts inside and outside of government say. “I am guardedly optimistic that the stars are beginning to align on cybersecurity,” said Paul Kurtz, chief operating officer of Good Harbor Consulting. Kurtz said security finally is gaining the executive attention it deserves and, he added, the funding to safeguard federal information systems and networks. Converging security efforts include Homeland Security Presidential Directive 12, the transition to IPv6, implementation of the Federal Desktop Core Configuration for Microsoft’s XP and Vista operating systems, the Information Technology Infrastructure and Information Systems Security lines of business, the Trusted Internet Connections initiative, a gateway monitoring application called Einstein, and OMB’s security requirements for preventing and responding to data breaches and complying with the Federal Information Security Management Act. OMB has brought together a variety of initiatives into a governmentwide security program. For example, the deadline dates for implementing one program, IPv6, overlap with the deadline for the Trusted Internet Connections initiative, said Dan Chenok, vice president at SRA International. He also is the chairman of the Information Security and Privacy Advisory Board, a group that makes recommendations to the National Institute of Standards and Technology. “The initiatives are mutually enforcing,” Chenok said. “You might see these as different components of a defense- in-depth posture.” The desktop core configuration standard helps agencies manage security at a desktop level, Trusted Internet Connections works at the network level and HSPD-12 at the log-on level. IPv6 secures data transfers. Each one is a different piece of the same puzzle, Chenok said. Agencies are required to run IPv6 on their backbone networks by June, a mandate that coincides with the expiration of telecommunications and network services under the General Services Administration’s FTS 2001 contracts. Agencies are preparing to migrate to Networx, the follow- on contracts, said Karen Evans, OMB’s administrator for e-government and IT. While that transition happens, agencies that are upgrading their operating systems must implement the Federal Desktop Core Configuration. Having a standard configuration makes security patches easier to apply. In addition, managers will know who is accessing the agency network when agencies implement two-factor authentication by using HSPD- 12 cards. That will become a standard business practice, Evans said. Another initiative that is reaching a major milestone is OMB’s Infrastructure LOB, which requires performance metrics for telecom, desktops and data centers. For its most recent security initiative, the Trusted Internet Connections program, OMB directed agencies to reduce the number of Internet gateways they use. Agencies will strengthen security at those fewer gateways with the Einstein application, which monitors traffic at each gateway. “Many of the security efforts build upon each other,” Evans said. “That’s the reason why we have similar target dates.” OMB also asked agencies to begin using the desktop core configuration by February and HSPD-12 by October. As those programs are progressing — some more slowly than others — agency compliance with FISMA is advancing to a new level by incorporating a risk-based approach to security. NIST, the Defense Department and the Office of the Director for National Intelligence are developing standard security controls for all agencies. The intelligence and defense communities and NIST will modify their security requirements documents by December, said Ron Ross, a NIST senior computer scientist. All the ongoing security efforts couldn’t have been successful five years ago because agencies did not view themselves as one federal government, Evans said. “Agencies think more in a collaborative fashion, and technology’s evolved enough so we’re ready to move on to the next generation of services.” Those security efforts aren’t just about protecting agencies, Evans said, adding that security is about ensuring public trust. Kurtz said enormous security problems inside agencies have propelled the convergence of governmentwide security initiatives. “Network security inside the government is so porous that the bad guys — China and Russia — have been able to exfiltrate vast amounts of data,” Kurtz said. “Only by learning the hard way is government stepping up to the plate and starting to devote senior-level attention and money to address these issues.” Kurtz said Evans deserves much credit for laying the foundation. “Now that we have far more senior-level attention across federal agencies, we may see more rapid execution [of] those mandates that were put in place,” Kurtz said. However, getting funding to fulfill those mandates still is a challenge for large departments and agencies. Pat Howard, chief information security officer at the Housing and Urban Development Department, said that for the department, which outsources its information technology infrastructure, prioritizing all the federal security requirements requires a high level of coordination. “If we’re saying that our networks are so important to us in order to do the people’s business, then we need to be able to resource those requirements,” Howard said. Evans said the president’s 2008 budget contains sufficient funding — more than $6 billion — for security initiatives. “It just might mean that out of the money that you were planning to spend,” Evans said, “you might want to redirect some of these things because not everybody needs to build out a firewall, not everyone has to build out 24/7 capabilities, not everybody has to have all of these things. What we’re trying to do is leverage who does it well and have them do it.”  

Agencies juggle priorities

The Office of Management and Budget initiated several new security measures in 2007 that will keep agencies busy during the next 12 months. Other policies and initiatives will also compete for attention and funding.

Border security

The failure of Congress and the Bush administration to agree on comprehensive immigration reform last year and the increasingly heated debate among presidential candidates on immigration policy will set the stage for border security to become a major issue this year.

Homeland Security Secretary Michael Chertoff said border security is at the top of his agenda for 2008.

Other homeland security priorities will also demand his attention. Information technology-based identity-verification projects — including the Secure Border Initiative’s SBInet, Real ID standards for driver’s licenses, the Western Hemisphere Travel Initiative and the U.S. Visitor and Immigrant Status Indicator Technology program are expected to come under intense scrutiny as they continue to evolve.

— Ben Bain

Managed services

Agencies’ reliance on managed-service providers for administrative services likely will increase as workforce numbers remain steady and workloads continue to grow.

Agencies increasingly are inclined to let service providers handle the details of running major information systems while they focus on the services the systems provide.

Managed services are the future at the Defense Department, said John Garing, chief information officer at the Defense Information Systems Agency.

— Matthew Weigelt

Presidential election campaign

As the presidential election campaign gears up for its final lap, several candidates have put forth plans that could alter the way agencies conduct business.

Former New York City mayor and Republican candidate Rudy Giuliani said he would not replace half the federal workers who will retire during the next decade.

Candidate Rep. Ron Paul (R-Texas) went further, promising to scuttle many agencies, including the Education Department and the Internal Revenue Service.

Sen. Hillary Clinton (D-N.Y.) said she would cut half a million federal contractors.

Sen. Barack Obama (D-Ill.) released an information technology plan that would create a chief technology officer position in the federal government.

No matter who comes out on top, agencies can anticipate change.

— Wade-Hahn Chan

Cyberwarfare

As the need to secure federal networks rose on the Bush administration’s priority list last year, a central question emerged: Does the United States need a policy for offensive cyberwarfare? DOD is in favor of such a plan. After suffering repeated attacks — some successful, most not — DOD officials asked Congress for new rules of engagement.

Maj. Gen. William Lord, commander of the provisional Air Force Cyber Command, said the government must decide whether to defend against cyberattacks before they occur.

— Jason Miller





























































NEXT STORY: 2008 Watch List: EVM for everyone