Q&A: Evans says feds steaming ahead on cybersecurity plan, but with privacy in mind
Top federal IT exec: Expanded network security efforts will be done 'in a very transparent way'
Computerworld - The House Committee on Homeland Security held a hearing on Thursday to discuss aspects of the U.S. government's Cyber Initiative, a classified program ordered by President Bush in an effort to boost the security of federal networks and systems. Among the government officials who testified at the hearing was Karen Evans, who serves as the de facto federal CIO in her capacity as administrator of e-government and IT at the White House Office of Management and Budget. In an interview with Computerworld today, Evans discussed the hearing and parts of the Cyber Initiative, including the involvement of the National Security Agency (NSA) and a plan to broaden the use of the government's Einstein network monitoring system and upgrade it by adding real-time threat-detection capabilities. Excerpts follow:
What should people take away from the House hearing? The big takeaway is that the federal government is moving forward in an accelerated way with the Cyber Initiative to ensure that we're properly protecting, and managing the risks associated with, the information we collect. And that we're working to ensure that there is privacy, and we're doing it in a very transparent way. This is really bringing together all the existing efforts [that were already under way] and driving that with very specific deadlines, which I welcome.
When you look at all the initiatives we're doing — like the implementation of IPv6, HSPD-12 [a smart ID card program], Trusted Internet Connections, the activities we're doing under the policy memo from the president's identity theft task force and the [Federal Desktop Core Configuration] — that's a defense-in-depth vision.
In addition to those efforts, is there anything new that's required under the president's directive? The piece that's different is Einstein. Up to this time, Einstein was an optional program for federal agencies. With this initiative, it is no longer an option. Einstein is [a mandatory] part of the solution that sits at an external network connection.
There's another part that will change as well: the [U.S. Computer Emergency Readiness Team] will have more operational capabilities here, so to speak. If any agency isn't doing its part in maintaining everything that it needs to maintain at an external connection, US-CERT will have the ability to block that connection and reroute traffic through another gateway. That isn't [meant] to impact the agency's mission — the missions of the agencies are first and foremost, and that will continue to go on. But if something isn't working right, US-CERT will have the ability to stop it.
It could be patching: Maybe one of the gateways doesn't have all of the patches installed [that it should]. So why would we want that vulnerability to stay up there? We wouldn't. This is all basic networking types of things. There's nothing ominous about it.
What's the goal of expanding the use and capabilities of the Einstein system? It will give us better situational awareness. Einstein will look at IP addresses, headers — that kind of information. We're not going to be reading e-mail or anything of that kind. It works in the same way that any intrusion-detection system does.
What role will the NSA have in all of this? You should think of NSA as a shared service on information assurance. The way that this setup is, we are supposed to capitalize on them. We've always done that. NSA determines security standards, then they hand the standards off to [the National Institute of Standards and Technology]. NIST then takes those in a very public way through its regular standards-setting process. So it's very transparent.
What you do is capitalize off of the people who have the knowledge. In the case of the FDCC, NSA worked on standards through its information assurance program. That was then agreed upon through the Department of Defense. What we did was take those standards and then put them out for public comment. Industry got to review everything that we were doing. There were 700 standards that went public, and now we're using them within the federal government. That's how NSA continues to work with the civilian agencies. That's how it was set up.
What's your message to people who are concerned about the privacy implications of the Cyber Initiative? My [response] to all of them would be that we are by statute required to do privacy impact assessments. We're supposed to take a look at all of the information we collect, and we have to do a system-of-records notice that is required under the Privacy Act. When we put those [notices] out for public comment, they should be looking at those. And even after the privacy impact assessments are publicly available, agencies still continuously take comments based on the information that is out there.
When you go to an agency Web site, you see their privacy notices, because every agency is required to publish that. So I would look through those privacy notices and the privacy impact assessments. Also, we're getting ready to deliver our annual [Federal Information Security Management Act compliance] report to Congress. What we have done is expanded on that, though we weren't required to. We now include a privacy aspect. So we're giving a governmentwide status report on the privacy activities that agencies are engaged in.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts