IfG.CC - The Potsdam eGovernment Competence Center

Given that the private sector owns and operates between 80 percent and 90 percent of the nation's digital infrastructure, the military and civilian agencies realize that they can't go it alone in the face of ongoing and persistent threats from a multiplicity of attackers both at home and abroad.

The catch phrase, a mainstay in nearly every blueprint for federal cybersecurity, is "public-private partnerships."

The federal government needs to do more to come up with a comprehensive strategy for funding and carrying out research and development of new cybersecurity technologies, according to a new report by the Government Accountability Office.

Cybersecurity R&D is currently a multi-headed set of initiatives within government. The report lists, in addition to the breadth of executive agencies, 14 different organizations involved in oversight and coordination of cybersecurity R&D, with various hands in a dizzying array of pots, and five agencies actually funding and conducting most of the government's cybersecurity R&D.

Government agencies are spending billions on technology for homeland security, yet system vulnerabilities are increasing exponentially, agency representatives told a Congressional panel this week.

But there still is room for improvement, the survey found. Although 92 percent of government respondents had received security training, compared to 69 percent in the private sector, 34 percent of them reported that at times they felt they had to circumvent security policies to get their job done, a statistical dead heat with those in private enterprises.

NIST and NSA collaborated with representatives from industry to develop the Extensible Configuration Checklist Description Format (XCCDF) as a way to provide a uniform format for security checklists, benchmarks and other configuration guidance.

One approached died last week when the federal CIO Council withdrew its support from the CISO Exchange, a privately run group chaired ostensibly by senior government IT officials. The way the CISO Exchange worked, six companies willing to fork over $75,000 could join the Exchange’s exclusive advisory board comprised of leading federal CIOs and chief information security officers. Other vendors, with smaller contributions, would have had some, but more limited access to these officials. The arrangement smacked of pay to play, and the Exchange’s initial cheerleader in Congress, House Government Reform Committee chairman Tom Davis, vacated his earlier, enthusiastic endorsement.

On Friday, the House passed the National Defense Authorization Act by a vote of 229 to 186, which included an amendment co-authored by Reps. Diane Watson (D-Calif.) and Jim Langevin (D-R.I.) that achieved many of the provisions outlined in separate pieces of legislation introduced earlier by the lawmakers.

In the months following the September 11 attacks on New York and Washington D.C., it was determined the issue of identity verification needed to be addressed. Homeland Security Presidential Directive 12 (HSPD12) established the requirement to verify the identity of all federal employees and issue them a secure identity credential. This has resulted in the issuance of millions of Personal Identity Verification (PIV) credentials.

Spending on IT security is expected to increase from $6.1 billion in 2005 to $7.3 billion in 2010, according to Input, a Reston, Va.-based research firm. Furthermore, spending on professional services associated with IT security -- the design, development and operation of security systems, as well as upgrades and maintenance -- is expected to grow from $3.7 billion in 2005 to $4.4 billion in 2010. While $1 billion increase in spending is nothing to sneeze at, it doesn't exactly present the goldmine right off the bat that some VARs might have expected.

“The nation that started the Internet ought to be the first to secure it and still protect civil liberties,” he said, speaking at a cybersecurity conference in Washington Thursday. “We can and we must.”

You can buy hunting and fishing licenses. Fork over the registration fee for your boat or snowmobile. Renew a nursing or physician license. Report workplace injuries. Pay your taxes. You can do a lot of business with the state of Minnesota online.

But how secure is the personal and financial information that people share with the state via the Web?

The Protecting Cyberspace as a National Asset Act of 2010, S.3480, would create an Office of Cyber Policy in the White House with a director accountable to the public who would lead all federal cyberspace efforts and devise national cyberspace strategy.

There is a change taking place around identity and credentialing in the enterprise and government markets. Identity is now an enterprise business requirement with its own infrastructure, policy and budget. Identity makes use of open standards to achieve interoperability and requires the highest level of assurance. The change is that physical access control and other enterprise applications no longer issue credentials. Instead, they use a common digital identity of digital certificates and the 21st century utility of the Internet as well as private networks.

The product of two formal public reviews and the focus of numerous workshops and teleconferences over the past 17 months, the three-volume set of guidelines is intended to facilitate organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery.

"The fact that the president, in the first time in my memory, made a major speech about cybersecurity, talked about it as a national priority, spoke about it as being a major priority for his administration... and that he created office which would have cross organizational responsibility is significant," said Dan Chenok, chairman of the government's Information Security and Privacy Advisory Board.

As shared service centers, the agencies would aim to conduct certification and accreditation (C&A) activities more effectively than agencies currently do themselves because they will deliver the services across multiple agencies using best practices under the Information Systems Security Line of Business, said Karen Evans, OMB’s administrator for e-government and information technology, in a briefing with reporters.

Karen Evans, OMB administrator for e-government and IT, said Tuesday at the GCN Cybersecurity Conference in Washington that a task force would complete its work by September so that guidance would be available to agencies for the fiscal 2007 budget cycle. “We’re on a fast timeline,” Evans said.

In a new paper, “Common Risks Impeding the Adequate Protection of Government Information,” OMB and DHS discuss common problems in areas such as training, contracting and records management.