Preparing for inevitable threats to security

The CIO Council is stepping up its efforts to help federal managers understand

and address the challenges of protecting systems and data.

The pressure on agencies to secure their systems is growing. Agencies

are required to address security and privacy across all their systems, not

just classified ones, and Congress and other stakeholders take notice when

efforts fall short.

Perhaps the biggest issue, however, is not the public attention, but

the lack of security awareness. "Often, management doesn't understand what

their role should be," said John Gilligan, co-chairman of the CIO Council's

security committee and principal deputy chief information officer at the

Air Force. And, Gilligan said, once managers are aware, they are faced with

a dilemma: "What should I do, and how much security is enough?"

The CIO Council is sponsoring several initiatives designed to help agencies

facing such dilemmas.

The council hopes to have guidelines in place by the end of next year

to help agencies "get a better handle on risk management," Gilligan said.

Security lapses at the Energy Department have shown that agencies are not

well-versed in risk management. The practice of risk management is not just

about having the right tools in place; it's also about making informed decisions,

he said. "It's the balancing of threats, vulnerabilities and countermeasures,"

Gilligan said.

There really is no such thing as risk avoidance when it comes to security,

said Jean Boltz, assistant director of governmentwide and defense information

systems at the General Accounting Office. "In today's world, you can't eliminate

the risk. You have to manage it," she said.

With risk management, agencies must first recognize their critical assets.

"Somehow, [agencies] need to have the distinction of what's important and

what's not. Sometimes, it's not done at a refined level," Boltz said.

Agencies must also iden-tify specific threats. Paul Kurtz, director

of trans-national threats at the National Security Council, said this is

often difficult. "We don't know if it's a bored teen at home or a nation-state,"

he said at the E-Gov Information Assurance Conference last week in Alexandria,

Va. "We can't immediately identify where the threats are coming from."

The CIO Council plans to develop benchmarks to help agencies determine

what security is adequate for electronic services. The benchmarks will cover

three primary areas: Web-based information services, financial transactions

with the public, and government/industry procurement.

"We want to help guide [agencies'] efforts to secure electronic transactions,"

Gilligan said, adding that the public expects more from gov-ernment. "Expectations

are very high. We realize when a Web site is hacked, it's a big deal."

Coordination is also important. This month, the council plans to finalize

a letter to agency CIOs identifying the role of the General Services Administration's

Federal Computer Incident Response Capability (FedCIRC) and the responsibility

of CIOs within agencies to work with FedCIRC. FedCIRC is the civilian government's

cybersecurity warning and response center.

The letter will require CIOs to establish a way to disseminate warning

information received from FedCIRC and forward any vulnerability incidents

to FedCIRC so that the government can collect that information in a single

place, Gilligan said, speaking at the E-Gov conference. The committee wants

to "make sure" that agencies have the ability to share that kind of information,

he added.

It makes sense for agencies to spread the word on viruses and other

vulnerabilities, Boltz said. "The "ILOVEYOU' virus provided a good lesson.

If the first entity in government can get the word out to others in a hurry,

it can save a lot of trouble for everybody," she said.