White House Gets Its Cybersecurity Research Ducks in a Row
Dec 13, 2011 5:00 AM PT
It looks as if the United States federal government is getting even more serious about cybersecurity these days.
First off, the White House released a road map that sets R&D priorities for cybersecurity in order to speed up efforts to secure the U.S. network infrastructure and change the government's approach to online security.
The plan -- "Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program" -- is the culmination of seven years of examination and consideration of cybersecurity issues by experts in both the private and public sectors.
It identifies four strategic thrusts: inducing change, developing scientific foundations, maximizing research impact and accelerating transition to practice.
The idea is to focus research on limiting our current deficiencies in cyberspace, precluding future problems and speeding up the release of the results of research into the marketplace.
The aims of these four thrusts include achieving greater resilience in cyberspace, improving our attack prevention, developing new defenses and enhancing our capabilities to design software that's resistant to attacks.
Together, Together, That's How It Must Be
The plan implies coordination across government agencies through the Federal Networking and Information Technology R&D (NITRD) program.
It also assumes the NITRD Cyber Security and Information Assurance Interagency Working Group (CSIA IWG) will take the lead in these efforts.
The CSIA IWG will work with the White House Office of Science and Technology Policy (OSTP), the NITRD Senior Steering Group for Cybersecurity R&D and the Special Cyber Operations Research and Engineering (SCORE) Interagency Working Group.
The NITRD Program consists of a collaboration of U.S. federal R&D agencies. It seeks to provide R&D foundations for assuring continued U.S. technological leadership in various high-tech areas, meet the needs of the federal government, and accelerate the development and deployment of these technologies.
Gotta Have That R&D
Research into cybersecurity is essential, W. Hord Tipton, executive director of the International Information Systems Security Consortium (ISC2) and formerly CIO of the Department of the Interior, told TechNewsWorld.
"To not define and continue research only widens the gap between us and the bad guys," Tipton said.
"It is high time we made these investments," Tim (T.K.) Keanini, chief technology officer at nCircle, told TechNewsWorld.
Call to Action
However, plans and statements of intent alone won't help get U.S. cybersecurity up to scratch.
"Good strategy is useless unless there's an accompanying plan for execution and people in place to enforce it," ISC2's Tipton pointed out.
"Loss of control, trusting outside your boundaries, and working as a unified team dedicated to solving a problem from A to Z seems to be asking too much of our government," Tipton added.
Keeping Feds' Heads in the Cloud
Also last week, the U.S. government launched a program that establishes policy for the protection of federal information in cloud services.
The Federal Risk and Authorization Management Program was outlined in a memo to CIOs in the federal government by Federal CIO Steven VanRoekel.
It was developed by the Obama administration working with various organizations, including the National Institute of Standards and Technology (NIST) and the U.S. Department of Defense (DoD).
DHS to Rule Cybersecurity Work?
This week, Rep. Dan Lungren is scheduled to table a discussion draft to amend the Homeland Security Act of 2002.
The draft essentially suggests giving the Department of Homeland Security (DHS) the leadership role in the United States' cybersecurity efforts.
How that might play out remains to be seen.
Working Out on Tuesday's Patches
Finally, Patch Tuesday is here, and enterprises should implement the patches Microsoft rolls out as soon as possible, Alex Horan, senior product manager at Core Security, told TechNewsWorld.
Among the issues addressed in this rollout are four remote code execution flaws in the Microsoft Office products. Code execution in Office could result in long-lived vulnerabilities because admins delay pushing out patches to users' machines for fear that this might impede the users' work.
"User complaints are much more manageable than the press [resulting from] a breach," Horan said, adding that enterprise IT typically takes "at least a month" to begin implementing patches because of "typical resource and time constraints."