Cybersecurity was elevated to an unprecedented level of attention by the U.S. Government in the year 2009. It all began with the January 20th inauguration of Barack Obama, recognized as the most tech-savvy president to ever occupy the Oval Office.
As we moved through 2009, many “cybersecurity-centric” events happened within the government that most certainly will have — if not already — affected the security and risk management planning groups within organizations both in and outside of the United States. In most cases, and as a result of these many “cybersecurity-centric” activities, organizations today are revisiting and rethinking elements of their current and long-term strategic business continuity planning processes.
To better understand these government efforts to secure federal digital assets, and to evaluate how those efforts might help or support your own organization’s business continuity and risk management efforts, we would like to bring your attention to a recent article written by Eric Chabrow, Managing Editor on the GovInfo Security website.
In this article, Eric Chabrow, calls out what he believes to be the most important cybersecurity happenings in the government during 2009. And even though 2009 provided more promise than triumph, Mr. Chabrow believes that the foundation was laid for what could prove to be a very productive 2010.
A summary of that list is as follows:
1: That Cybersecurity Vision Thing
Though cautious, President Obama said the right things in his May 29 White House address: “Protecting this infrastructure will be a national security priority … Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.”
2: Czar Wars
At the heart of President Obama’s cybersecurity policy is the creation of a position the chief executive calls a cybersecurity coordinator, a senior White House adviser who would report through the National Security Council. More detail of this “Czar War” point is presented in the referenced article by Mr. Chabrow.
3: Legislation ‘R’ Us
Some of the pending and ongoing legislative activities concerning cybersecurity were: the U.S. Information and Communications Enforcement Act, legislation aimed to update the Federal Information Security Management Act of 2002 – U.S. ICE, as the bill is known, was one of the more visible pieces of legislation introduced in 2009; Cybersecurity Act of 2009, which included a provision that would allow the president to declare a cybersecurity emergency and shutdown Internet traffic to and from government IT systems and the nation’s critical IT infrastructure; an omnibus cybersecurity bill that could incorporate provisions of both bills and the Cybersecurity Enhancement Act, a nuts-and-bolts IT security bill that would require the president to assess the government’s cybersecurity workforce, including an agency-by-agency skills assessment, and provide scholarship to students who agree to work as cybersecurity specialists for the government after graduation.
4: Summer Breaches
Starting over the Independence Day weekend and continuing for about a week, hackers targeted government and business websites in the United States and South Korea, causing varying degrees of disruption of service. Among federal government websites reportedly assaulted: the White House, National Security Agency, Departments of Defense, Homeland Security, State and Transportation and Treasury; Federal Trade Commission and the Secret Service. Tom Kellerman, who chaired the threats working group of the Commission on Cybersecurity for the 44th Presidency, characterized the attack as “a fact of life now because of Web 2.0 and that’s the real worrisome phenomenon here.”
A month later, hackers defaced the homepages of a dozen House members.
In June, Deputy Defense Secretary William Lynn III revealed that more than 100 foreign intelligence organizations are trying to hack into U.S. information networks, the No. 2 Defense Department official said Monday. “This is not some future threat. The cyber threat is here today; it is here now,” Lynn said.
How pervasive are attacks on government systems? The Government Accountability Office in October said NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008.
5: CAG: A No Brainer
Its common sense: the proper use of controls has a positive influence on securing IT assets. A public-private consortium in February determined the greatest threats to IT systems and developed 20 Consensus Audit Guidelines, or CAG, that federal agencies and others should implement to protect those systems
6: IT Celebrity Cult
What separates 2009 from other years when it comes to government IT and cybersecurity is the cult of personality of those placed in charge.
7: The Departed
How important they were in the overall picture of securing government IT assets is open to debate, but the fact that several highly visible cybersecurity leaders left government service this past year drew considerable attention.
8: Transformational Guidance
The superlatives flowed in November when the National Institute of Standards and Technology (NIST) issued a draft revision to its Special Publication 800-53.
Past NIST guidance focused mostly on steps IT security pros should take to safeguard information assets, processes that didn’t involve the continual monitoring of a systems’ security.
9: Help Wanted
The job market looks bleak almost everywhere, except for the federal government, at least when it concerns cybersecurity.
10: Retooling NIST
New NIST Director Patrick Gallagher, who the Senate confirmed Nov. 5 issues the statement that, “Every manager should be striving to make sure their organization is as effective as possible.” In fact, Gallagher has asked his top managers to reassess NIST’s organizational structure – a move that could lead to its first reorganization in nearly two decades. All options are in play, including the possibility of merging some of its 10 laboratories, the major units within NIST.
CLICK HERE to read the entire article including important links to other related stories on cybersecurity and then pass this information along to your business continuity manager(s).