About this series: In a paper he wrote and published before President Obama's announcement regarding the creation of a national cybersecurity coordinator, Ariel Silverstone, CISSP, put forward his thoughts about the necessity of having a chief security officer for the United States. In this Final installment, he discusses timelines and priorities as he sees them. Silverstone then addresses the need for input and involvement from academia and the private sector.
TimelineThe breadth of the job ahead demands priority assignation. The same weight cannot be placed on every goal; the same priority cannot be given to every task. We know there is plenty to be done. As a matter of pragmatism, we must quantify the risks and the available resources.
Breaking the challenge down into a three-tier plan makes our approach and resource planning and allocation more feasible. Some items will require immediate consideration and mitigation. I would place those in the urgent plan. Known problems that require a measured and well-executed approach will be put into the tactical plan, to be addressed within one to three years. Finally, those large tasks for which resources and plans must be marshaled belong in the strategic plan, to be addressed within a 3-to-5-year period.
For multi-year funding issues, please refer to the budget section above.
The urgent planThe very first task of any information security program is to create awareness of the opportunity to improve, the benefits of information security, and the drawbacks to being insecure. Every dollar spent in what is generally referred to as awareness is returned many fold in the form of informed professionals, watchful personnel and ab initio securely defined systems, tasks and procedures.
The role of Information Security, as a part of the inherent design of processes, is to facilitate progress. Without information security, tools that we rely on for the performance of our daily jobs, and even our daily life, will not be possible. As some examples describe, government services, currently offered in a portal form, would not be available; medical insurance would be unfeasible; and credit would not be extensible.
A coherent and far-reaching information security awareness program must be developed. This program will be communicated through the auspices of educational facilities from the secondary school level and beyond. A workplace program for organizations that manage and access critical and sensitive systems must be thought out. Such a plan should not have to come from the Federal government, but should be encouraged and perhaps even mandated by funding and emphasis on information security.
Task 12: Invest, develop and encourage information security awareness programs in the educational system and in sensitive information asset-related industry.
The urgent plan would contain items that define obvious and easy-to-exploit vulnerabilities. These will include assets currently under attack and assets whose vulnerabilities are either already known or are predictable to assess. This vulnerable list will form the core of the urgent plan's goals.
Task 13: With the aid of the information gleaned from Task 1; assemble a collection of easily exploitable and vulnerable assets.
Further, items whose protection is critical to safety and security of the United States information sphere belong in this plan. Even if a known vulnerability does not exist, the review of these items' security is essential. This Business Impact Analysis (BIA) is essential to the delivery of services performed using those critical information assets.
Task 14: As a continuation of Tasks 4, 5 and 13 above; assemble a priority list of sensitive and critical information assets that must be addressed in the urgent plan.
It may seem obvious, but I feel I must state the fact that the urgent plan should not be seen as a fire-and-forget, disposable, plan. New items would be added and existing items removed, as they are addressed. This plan will continue in effect in perpetuity, constantly updated and honed.
Task 15: Continue maintaining and managing the urgent plan, with an eye towards advances in technology, our understanding of the evolving information security landscape and the inherent effects, which this progress will bring.
The tactical planIn addition to the input from tasks above, a collection of known problems and opportunities to improve on our information security posture must be distilled to create the tactical plan. I would recommend the analysis of laws, regulations, policies and procedures, and, in some cases, propose the creation of same with a long-term view toward the changing threat landscape.
In conjunction with the utilization of best practices, together with the input from the standard process above, a desired-state goal will be promulgated. Working jointly with agency CISOs, there is a need to formulate a plan to achieve that state.
Task 16: Work with agency CISOs to plan a coherent tactical roadmap, with measurable progression milestones, achieving a desired state of information security readiness.
Collaboration with private industry and academe will reveal additional layers of information assets, outside the Federal sphere proper, which must be protected and safeguarded. These assets should be integrated into the plan and the advisory board, stipulated in Task 7 (above), will advise, involve and assist in the planning and reviewing of protection for these assets. I applaud the GAO's recommendation to "Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts" here.
Task 17: Utilize the formal advisory board to help derive substantive improvement in other-than-governmental information assets' security posture.
Finally, the full cooperation of Academe and of non-civilian agencies will yield the ability to perform exercises, such as Cyber Storm, to test, evaluate and measure the increase in protection of information assets, in a comprehensive format, a format that is simply not available today.
Task 18: Leverage America's utilization of its Academic leadership together with non-civilian agency capabilities to stress-test the system and measure its capabilities, weaknesses, and room for enhancement.
The strategic planWe know some of the tasks ahead to be enormous. Several of these tasks require legal change, financial allocation, lengthy preparedness or even a sea-change in understanding and approach to information security.
The key shall be not to shy away from a task simply because of its breadth, scope or cost. Where necessary, we should ask for legal advice and support. When resource availability is a concern, we must work with Congress and the Office of Management and Budget (OMB) to resolve the challenge. If preparation is the key, we must plan ahead and gear-up to the challenge.
Task 19: Analyze the tasks falling within the strategic plan to properly prepare and define their scope, timing and resource demand. Use this analysis to detail the need and forecast the requirements to fulfill these tasks.
Since not all information needed to populate this plan is known at this time, the plan ought to continue to evolve. The plan would be originated utilizing information from the systems known, and from information gathered from performing the urgent and tactical tasks above.
This plan comes with the requirement for awareness and dedication that does not allow room for fear nor hesitation with regard to the enormity of its breadth, scope or potential cost.
ParticipationA successful Information Security program requires devoted and attentive participation from all stakeholders. The CISO should lead by example and encourage the contribution of as many sectors of our industry, academia and culture as possible.
I would ask for voluntary participation in the advisory board (see Task 7, above) from information security thinkers, industry leaders and legal advisors, to augment the knowledge already held by the government and create new way to address challenges. In compliance with the Federal Advisory Committee Act Amendments of 1997 I would invite experts on privacy as well as on commerce to advise and contribute to the effort ahead.
Government rolesThe government must lead the effort of protection of its assets. Each agency must be responsible and accountable for its own house. In addition to this, basic, responsibility, the agencies' capability to contribute to the entire effort must be evaluated and considered.
The trial programs allowing certain government knowledge-sharing with private industry must be codified. These efforts have the potential to increase by orders of magnitude the protection with which our sensitive industry is equipped. The knowledge shared will have the benefit of enhancing the Public trust, protecting our culture and assuring delivery of essential services.
Task 20: Work with private industry and Congress to codify information sharing from the government to industry and vice-versa.
Task 21: Create a formal process where information sharing, such as described in Task 20, can take place.
Further, the government must improve on the build of the basic ISACs. The potential to prevent large-scale damage and to prepare similar organizations to a known and already defended-from attack is simply too important and time critical to leave unutilized.
For sensitive regulated industries, such as the financial sector, a formal form of incident response is needed. Voluntary cooperation with suggested guidelines or even standards, as the case is, mostly, today, would leave the country unevenly and inadequately protected from evolving threats.
Task 22: Work with industry, Congress and various government agencies to define and codify the minimum Incident Response program requirements for sensitive industry sectors.
Industry roleThe government should not and must not enact, demand, deploy and address information security concerns in a vacuum. Industry ought to participate and contribute from its knowledge, development and discovery to the enhancement of our information security posture.
Agility and flexibility, not typically the bulwark of governments, must be utilized to respond to rapidly changing threat scenarios. New tools maximizing efficiency and redundancy should be made available and shared with government functions.
Additionally, for cost and efficiency reasons, the acquisition, deployment and usage of Commercial-Off-the-Shelf (COTS) products should be maximized. Only in very specific cases will development of a special tool or technique be required by the civilian government.
Naturally, the addition of government customers will require industry to adapt, grow, and support additional capabilities, which might be at this time nonexistent or neglected. This is an opportunity for tremendous growth for industry.
Academe's roleIf information security awareness is the foundation to a successful information security program, such a program's capstone is leading research that our institutions of higher learning perform.
Much as the Internet was developed with the government's help in a series of universities, so would many future developments in information security.
The United States government ought to champion offering incentives to both institutions and students, as well as to employers, to teach and research information security and related subjects.
From time to time, there will be the need for specific, pointed examination of a certain opportunities for improvement. These opportunities should be communicated to academe and jointly incentivized to assure the timely and comprehensively addressing of issues raised.
Task 23: Propose the creation of a national information security education board, whose tasks are to facilitate communications, help direct research, and propose topics for education and study.
This board will be specifically involved with information security and work with the chief information security officer. It is different from the Federal Bureau of Investigation's (FBI) National Security Higher Education Advisory Board and will have different focus and goals.
SummaryI created this document to show my thoughts on how I to go about enhancing information security for a federal government and for us, the American public. Knowing that securing our Information space is a large and trans-generational job, I listed what I see as the steps to be taken to address the pressing need in the nation today.
Not all the ideas in this document are wholly mine. This document also builds on others' ideas: from Howard Schmidt to Rod Beckstrom; from Professor Eugene Spafford to Doctor Eugene Schultz and many others. Where those ideas make sense, credit goes to my mentors; where these do not, criticism goes to me.
As I stated in the opening, I welcome any input regarding the contents of this paper. Please send such input to my email address at firstname.lastname@example.org.
Thank you for your kind attention and support.
This story, "A Plan to Secure the Federal Cyberspace, Part 3" was originally published by CSO.