[ISN] Bush Needs To Ramp Up Cybersecurity In New Year

InfoSec News isn at c4i.org
Wed Dec 29 01:32:02 EST 2004


By Larry Greenemeier 
Dec. 28, 2004 

The Bush administration plans to address the demands to advance its
cybersecurity policies in the new year, but some critics question
whether the administration will go far enough to protect the United
States from increasingly sophisticated cyberattacks and security

The administration's stance is that cybersecurity's moving forward
will inherently be part of any new federal government IT initiatives.  
Others, however, believe the president should create a distinct
administrative cybersecurity position within the Homeland Security
Department to oversee progress in the federal government and act as a
liaison with private industry.

Cybersecurity costs are expected to be factored into all agency budget
requests. It's a matter the administration takes seriously enough that
the Office of Management and Budget suggests agencies without adequate
plans to improve cybersecurity shouldn't move to any new IT projects
until cybersecurity is addressed, says Karen Evans, OMB's
administrator for E-government and IT.

Entering his second term, President Bush faces a number of challenges
to IT-related initiatives such as cybersecurity. Perhaps the greatest
challenge is a growing budget deficit projected to reach $521 billion
for fiscal 2004. The president has promised to cut the deficit in half
within five years, but much of this will depend on a reduction in
spending, including a heavy reliance on IT to cut costs.

"This doesn't necessarily mean that IT budgets will be cut," Evans
says. "If an agency is properly managing their portfolio, their IT
budget might go down because they're achieving the same or better
results with the same amount of tax dollars."

While OMB's expectation that each federal agency bake cybersecurity
into its budget is a good start, the Cyber Security Industry Alliance
is looking for the Bush administration to do more to get private
industry to adopt such standards, since private industry owns and
operates 90% of the United States' critical infrastructure. The
alliance was launched in February by a group of technology providers
including Computer Associates, Network Associates, and Symantec.

The Bush administration has laid out a good cybersecurity strategy,
says Paul Kurtz, the alliance's executive director and former senior
director of critical infrastructure protection for the White House's
Homeland Security Council. In a paper published earlier this month,
however, the alliance urged Bush in his second term to use his
influence to follow through on his National Strategy to Secure
Cyberspace, a February 2003 initiative that called for the formation
of a national cyberspace response system, a cyberspace security
threat- and vulnerability-reduction program, and a cyberspace
security-awareness and -training program.

Kurtz acknowledges that the Department of Homeland Security has made
some progress regarding cybersecurity, but he still would like to see
responsibility for cybersecurity and physical security divided between
two assistant secretaries. Robert Liscouski, Homeland Security
assistant secretary for infrastructure protection, handles both. "We
don't have that senior-level focal point to work with both industry
and government on cybersecurity matters," he says.

When Congress earlier this month passed a simplified version of its
Intelligence Reform Act after cutting a provision that would have
created a high-profile assistant secretary of cybersecurity within
Homeland Security, advocates perceived this as a slight to
cybersecurity's importance. "Often in this town, what really matters
is the authority that comes with one's position," Kurtz says. "There's
a lot that goes with such a position; it resonates on the Hill,
creating accountability and someone the Hill can go to as a designated

Evans says the formal creation of an assistant secretary for
cybersecurity position is unnecessary. Any distinct cybersecurity
position within Homeland Security is a management issue that should be
worked out within the department, she says.

Both Evans and Kurtz agree, however, that the nation's data and IT
infrastructure will only be protected through a partnership of
government and industry. Such a partnership includes calling on
private-sector companies to secure their systems, but also
government's willingness to apply successful private-sector
cybersecurity initiatives to its own systems, Evans says.

"This is not all on the government's shoulders," Kurtz agrees. "There
needs to be a great action on the part of private industry." The
Commerce Department should, for example, urge CEOs to review
cybersecurity measures during board meeting reviews of business
operations, he adds.

Setting aside the debate over the assistant secretary position, Kurtz
is optimistic that cybersecurity will improve if the Senate ratifies
the Council of Europe's Convention on Cybercrime and the Bush
administration can encourage information-security governance in the
private sector.

Says Kurtz, "I'm confident that in a second term we'll see more action
on these items."

More information about the ISN mailing list