At the end of 2001, it was widely reported that U.S. government agencies have earned failing grades for their efforts to improve information security.
In a report issued in early November, General Accounting Office (GAO) officials testified to Congress that the federal government has failed to put in place a system that adequately protects critical infrastructure from attack. This was just the latest in a series of largely negative reports on how well federal agencies are complying with Presidential Decision Directive 63 (PDD-63) and with the implementation measures that followed it.
In 1998 President Bill Clinton issued PDD-63 to establish a coordinated national response to the threat of attack on the nation's critical infrastructure, including transportation, energy, financial, communications and other industries. PDD-63 specifically addressed information as one of those assets. It directed every agency to assess its vulnerability to cyber or physical attack, and to implement a plan for eliminating those vulnerabilities. The directive's explicit goal was to create "a reliable, interconnected and secure information system infrastructure by the year 2003, and significantly increase security to government systems by the year 2000."
Since that time, the government has undertaken dozens of initiatives to implement PDD-63 and related guidance. The National Infrastructure Protection Center (NIPC) was established to coordinate the government's response to any security incidents, to mitigate attacks, and to investigate cyberthreats. The National Infrastructure Assurance Council and the Critical Infrastructure Assurance Office were founded and jointly published a national plan for infrastructure protection. The Federal Computer Incident Response Center (FedCIRC) was set up to analyze and coordinate computer security issues affecting the federal government. And the FBI's Infragard initiative was developed to encourage the exchange of information between the government and the private sector, attaining 65 chapters nationwide with more than 2,000 members.
How successful have these initiatives been? According to the GAO testimony, there has been some progress made, but not enough. Although the government has budgeted $2.6 billion for infrastructure protection, the GAO testimony said, "Independent audits continue to identify persistent, significant information security weaknesses that place federal operations at high risk of tampering and disruption."
After reading the fine print in the highly-publicized reports, and based on my experience at one federal agency, I believe strongly that the general public may be getting the wrong idea. At the Federal Aviation Administration's Office of Regulation and Certification, where I manage the contractor support for the information systems security program, implementation of the directive has resulted in significantly increased protection for much of our aviation system infrastructure.
When PDD-63 was issued, the FAA quickly established a multi-faceted program to address the issues identified in the directive and to focus attention on historical weaknesses. At the lowest levels, the agency began requiring every employee to attend information security awareness training. At the highest levels, every line of business was required to identify key personnel to be accountable for the security of agency information. A shortfall in information security staff was addressed by providing training opportunities to those federal employees who qualified for the certified information systems security professional (CISSP) certification offered by the International Information Systems Security Certification Consortium (ISC)2.
The FAA's CISSP community is intimately involved in the day-to-day operation of the agency's security program, many serving as information systems security managers and officers, overseeing key components of the FAA's security program, and establishing processes and procedures to manage our risk.
In the FAA program that I help manage, within 18 months of PDD-63 we had enacted an information security policy and developed or enhanced detailed security requirements. We also began an intensive effort to assess our critical systems, identify security flaws, and implement counter-measures to strengthen asset and network protection. All of these efforts were methodically aimed at securing our critical systems by May 2003, as PDD-63 directed.
Then September 11 happened, followed shortly by renewed attacks from Code Red and Nimda. The FAA's incident response group was immediately transformed in to a 24/7 operation. Federal CISSPs and other experienced staff were asked to temporarily volunteer for shifts until the group could be permanently staffed. We redoubled our efforts to identify our cyber vulnerabilities, not just in systems labeled "critical," but also in other assets subject to attack by new viruses and worms. We are reviewing the information we make available on our web pages, removing anything that might be helpful to terrorists while preserving our citizen's right to see this information. And while we react to immediate threats, we are still carrying out our PDD-63 tasks and working to meld our security program with other technology management activities.
So why, then, are we reading about criticism from the GAO, Congress and others? The answer lies, I believe, in the arena where most relationships fail - communication. So far, despite establishing dozens of commissions and offices and publishing report after report and policy after policy, the federal government has failed to adequately address cross-agency initiatives or the coordination of communication between the government and industry required to protect an interdependent critical infrastructure.
Is the government blind to what's needed to make this happen, as has been suggested by some federal officials? Until now, it may have been, but it is rapidly becoming a cliché that after September 11, we are living in a new world. In a discussion of that day's events, one former government official was quoted as saying, "The only positive thing that we can ever get out of this is that we, as a country, are totally out of denial."
In what I see as Step 1 in this new world, Congress will soon be considering a bill called the Critical Infrastructure Information Security Act (CIISA). This legislation addresses factors that have discouraged open sharing of information between the federal government and private industry. The CIISA bill will protect competitive information from disclosure and require federal agencies to share the results of their analysis of infrastructure threats.
Step 2 is creating an organization that brings together all the thus far disparate pieces of the government's effort to combat cyber-threats. Establishing an Office of Homeland Security and appointing a presidential special advisor for cyberspace security is helpful, but the efforts of these new organizations need to trickle down to those of us at the working level. That will take not only time, but also cultural change and a willingness for information 'owners' to view themselves as information 'managers.'
Right now, the formal success of the FAA's security effort appears to be measured by how well we comply with PDD-63 requirements to certify systems, and by how many of our security staff get trained. Assessing us by these metrics forces us to look at our technology on an entity-by-entity basis. But some organizations are pushing for a consensus that our interconnected local and wide area networks should be treated as critical systems and certified as a whole, and that funding should be available for organization-wide security remediation above and beyond what PDD-63 requires.
The real proof of our success is demonstrated by how well our systems have been able to repel attempts to compromise their security, and so far in the FAA office in which I work, that is quite well indeed. We are a microcosm of the rest of the federal government, which needs to recognize that it must reward the behavior that it wants to attain. That recognition entails measuring 'success' by our progress in meeting a full set of security requirements, not just those that can be quickly measured. After all, as my client's motto reminds us, we all know that good security is a process, not just a moment in time.
Laurie McQuillan, CISSP, has been a technology consultant for 25 years and currently manages the contractor support for the information systems security program at the Federal Aviation Administration's Office of Regulation and Certification. She may be contacted at [email protected]. More information about (ISC)2 is available at www.isc2.org.