More with the CIO

By CIOinsight  |  Posted 09-01-2004 Print


EUC with HCI: Why It Matters

of DHS"> How well integrated into the HSOC is the Centers for Disease Control's BioSense system, for instance?

It is not integrated if you mean electronically or digitally connected.

Because we have people in the HSOC representing the Department of Health and Human Services, we have the reach-back capability, first of all, and second, the folks that actually run BioSense also have a forward reach into the HSOC if and when it's appropriate to make contact.

Don't forget that it is also extremely effective. I know it's not as sexy from a technology standpoint, but the subject-matter experts that handle any subject in any department can pick up the telephone and call directly into the HSOC.

Information is moving, even though sometimes it involves human contact via telephone. The point is that that still counts, even if the goal is to automate or make available as much information digitally as we can in the fight against terrorism.

What plans do you have to secure the new network?

We have put in place a single departmental Computer Incident Response Center. That's a big step forward, because rather than having 12 of these things running around, we have one 24-by-7 operation.

The CIRC has already successfully responded to virus attacks, and it has been instrumental at managing every type of incident.

We have also implemented an information security advisory board, identified information security managers for every major organizational element, and put in place information systems security officers who work at the application level.

We have also implemented one of the first automated tools—a digital dashboard—so we can maintain a constant digital scorecard of our performance.

The DHS has been getting pretty poor grades from Congress regarding the Federal Information Security Management Act. So far you have an F.

Honestly, we went from a patchwork quilt that was relatively insecure to not being where we want to be yet. But we're certainly more secure than we were a year and a half ago.

The same is true, to a relative degree, across the entire federal environment. If you take each department's scorecard, unfortunately you will see large departments sitting with Fs, but if you look at the overall grades, they are improving.

To what extent does the work you do affect the overall security of government networks?

The DHS is unique in that our National Cyber Security Division is tasked with providing policy, guidance and direction to state and local governments, tribal governments and the private sector. Through the federal CIO Council, we have been paying a lot of attention to cyber-security. What we've done there is to try and coordinate and share best practices. We know who actually is making good progress and we talk to them about how they're doing that.

I would argue, based upon factual data represented by FISMA scorecards, that the government as a whole is slightly more secure.

Can the government have any effect on commercial network security?

That's a legitimate question. The federal government can have an incredible impact through a different mechanism—legislation. Look at the impact the Sarbanes-Oxley Act has begun to have on disclosure of financial risk and vulnerability. Now, suppose Congress passed a law that said CEOs have to sign off on cyber readiness and preparedness, much as they do on their financial statements. That would have a huge impact. There is talk about such legislation, but to the best of my knowledge there isn't any yet.

Meanwhile, our National Cyber Security Division has been working very closely with the private sector that owns the country's critical infrastructure, and with our public-private Information Sharing and Analysis Centers, of which there are 13, each aligned with particular industries. Some, like the telecom ISAC, have been in place for a long time. A great deal of trust has been built among the members of the private sector and those folks in the ISAC, and there is a lot of very good exchange of information on risk and vulnerability. But that's one end of the spectrum. In certain other ISACs, some of which are brand-new, there is very little trust in the federal players. It's a mixed bag.

Which specific ISACs aren't making much headway?

In general, some of the financial services and insurance groups. This is me, Steve Cooper speaking, I'm not representing a federal position or policy, but I can't blame folks in those industry segments; after all, information security is their lifeblood. Let's suppose the banking industry shared a vulnerability and said, "You know what? If somebody attacked us and took advantage of this vulnerability it could bring the banking industry to its knees." Holy cow! Can you imagine the impact if that information were made public? I can't blame them for not wanting to share anything.

Some experts say that if the government were to announce that it will only procure software with minimal holes and backdoors, the problem of lazy coding would disappear and everyone would be safer. Do you agree?

Yes, I think that's fair. There have been discussions about that in the Department of Homeland Security, the federal CIO Council and at the Procurement Council. But here's the dilemma: Let's suppose we actually put our criteria together and announce that we're making it effective Jan. 1, 2005. What happens if we're trying to buy something and no software meets our criteria? Do you say, "Wait a minute, I need something here and I'm going to live with the vulnerabilities for the time being and buy the product?"

Still, I think we are going to pursue this issue, though I don't know exactly what form it will take.

Randy Barrett, based in the Washington, D.C. area, has been following business and technology for 15 years.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.