Cybersecurity: White House plan boosts funding, requirements for federal agencies
Whatever the White House's new draft cybersecurity plan lacked in specific requirements for the private sector, it more than made up for in proposed spending to improve security at federal agencies.
Whatever the White House's new draft cybersecurity plan lacked in specific requirements for the private sector, it more than made up for in proposed spending to improve security at federal agencies. The federal government likely will spend $20 billion on information technology security, including research and development, over the next three years, according to the just-released "National Strategy to Secure Cyberspace." Of that, $4.5 billion has been requested for fiscal 2003, a 64 percent jump from the current year, according to Howard Schmidt, vice chair of the President's Critical Infrastructure Protection Board. The 58-page draft plan, released Sept. 18 by the board, makes general recommendations for addressing cybersecurity concerns at all levels of the nation's infrastructure, from home users to state and local governments to specific industry sectors, such as banking and finance, water, electric and transportation. The plan also lays out more specific requirements for federal agencies and a strategy to create a single, unified security infrastructure for the government.Perhaps most significantly, the plan gives teeth to the Government Information Security Reform Act, or GISRA, a 2-year-old law that requires agencies to assess and report on the security needs of their systems as part of their budget requests to the Office of Management and Budget. The strategy recommends that OMB reject agency budgets that do not include plans to boost protection and address security shortfalls. In many ways, the plan "is codifying and institutionalizing GISRA in a way we didn't see in the Clinton administration," said Tony Franzonello, business development manager with immixGroup, a McLean, Va., government consulting firm. The planned spending increase on IT security will be needed to help agencies meet GISRA's strict requirements, according to industry officials. That's partly because agencies have been caught on the horns of a dilemma when it came to GISRA, said Brian Finan, director of strategic programs and homeland security at Symantec Corp. of Cupertino, Calif. They got failing grades for their security efforts, which reduced their funding and made it more difficult to improve their security posture. "Federal agencies need to be provided the resources so they can improve their standing," Finan said. "They didn't have the funding or the direction." The draft plan was the target of much grumbling from industry officials and pundits, who said the plan was more flash than substance. These critics said that, with the private sector controlling 85 percent of the nation's critical infrastructure, the plan should have provided more specific guidance and even requirements for businesses. Others expressed fears that if companies don't take action on their own, the government will implement regulations requiring security compliance. Richard Clarke, the president's special adviser on cybersecurity and chairman of the critical infrastructure group that put out the report, defended the decision to release the plan in draft form and without specific recommendations "because the government cannot do it alone. ... We must rely on [nongovernmental organizations] and the private sector to do most of the work." But the plan's recommendations for government are more detailed and include specific actions and timelines. Consequently, the strategy could have a "profound effect" on the government marketplace, said George Schu, vice president of public sector development at VeriSign Inc., Mountain View, Calif. Based on elements of the strategy, Franzonello said his firm expects to see spending pick up on network monitoring, auditing and physical and logical access control. Schu agreed, saying access control that uses a combination of passwords, smart cards and biometrics will be big. "Some of the very clear direction [is that] two-factor identification would be used by all employees of the federal government by 2004," Schu said. "That's a very ambitious timeline, because that's a lot of people to get two-factor IDs for. ... I think it foretells a lot of activity in that area that we can address." The plan also calls attention to the availability of commercial automated auditing and reporting mechanisms. One of its recommendations states that by the second quarter of fiscal 2003, the government must identify specific actions to promote the use of commercial products for security assessments and threat management.OUTSTANDING ISSUES The government's commitment to cleaning up its own security issues does not just present moneymaking opportunities for vendors. There are some potentially significant costs as well. For instance, by the third quarter of fiscal 2003 the government will decide whether security vendors selling to agencies will have to be certified as meeting certain minimum capabilities. If so, those without certification will find it very difficult to obtain government IT contracts. Another consequence of the government's plan may be the emergence of de facto standards for secure network protocols, industry officials said. One reason the plan does not attempt to set standards for the private sector is the administration is content to let the marketplace set standards. But the government is a mighty big customer in that marketplace. "There is a recognition on the government's part that one of the ways to get support in the private sector is to lead by example," said Guy Copeland, vice president for information infrastructure advisory programs at Computer Sciences Corp., El Segundo, Calif. By setting their own standards, and including those standards in their procurement processes, agencies will raise the security threshold for companies wishing to do business with the government, he said. Laura Koetzle, an analyst with Forrester Research in Cambridge, Mass., said the government's cybersecurity challenges will not be solved by spending on hardware and software alone. "I would argue the most important component is the people element," Koetzle said. "Too often people concentrate on the walls in defense-in-depth, when education really is key." Koetzle said the plan accurately identifies the need for senior agency managers to pay attention to the security problem, especially through implementing improved security education and awareness -- another area where outside contractors can look to make gains. But not everyone is sanguine that the new plan will significantly boost the government IT market. The problem is that computer security is not something that can be mandated, such as airport security, said James Kane, president of market research firm Federal Sources Inc., McLean, Va. "While the report is [valuable], the response reminds me of the commercial services activity panel. They both addressed very critical issues, they both were eagerly awaited, but neither had the impact [one] might have hoped," he said.
Brian Finan, Symantec Corp., says many federal agencies got failing grades for their security efforts.
Henrik G. de Gyor
NEXT STORY: Congress fiddles while budget churns