The person who fills the newly created US chief information security officer position will be able to improve the government’s cybersecurity, a 77 percent majority of Passcode’s pool of digital security experts said.
Hiring a CISO to oversee the security practice of federal agencies and the overhaul of the federal government’s computer systems is a major part of the Cybersecurity National Action Plan that President Obama recently unveiled – and some security experts initially worried it would prove a massive (and maybe impossible) undertaking.
But Influencers who responded to Passcode’s survey appeared cautiously optimistic about the new CISO’s ability to drive change across the government.
“Naming a federal CISO is the right move,” said Tom Cross, CTO of Drawbridge Networks. “The best way to identify critical weak spots like the Office of Personnel Management database and concentrate the right level of resources on them is to take a high level, systemic view of everything the federal government has.”
However, like many other Influencers, Mr. Cross pointed to potential obstacles to the CISO’s success.
“Success in this role in the federal government may be tough,” he said. “The position that has currently been defined may not have the level of seniority required to be effective.”
For the CISO to be effective, added Mark Weatherford, a principal at The Chertoff Group and former Department of Homeland Security official, the White House will need to empower the person with “the right authority and responsibility.” After all, he said, “if it’s another figurehead role, it will be a waste of time.”
“Even worse, it will display once again that Washington can’t get out of it’s own bureaucratic way.”
Changing the government’s culture – and getting employees at the various agencies on board with taking security seriously – will be a major challenge, several Influencers said.
“A real CISO would first focus on basic security hygiene - which is severely lacking at many government agencies,” said John Pescatore, director of emerging security trends at the SANS Institute. “However, if this position is just yet another talking head about security, no progress will be made.”
Much of the optimism that the CISO can improve the government’s cybersecurity is because Influencers say it’s extremely poor as it stands. As Jonathan Zittrain, cofounder of the Berkman Center for Internet and Society at Harvard University, puts it: There are “few places to go but up.”
A 23 percent minority of Influencers said the new CISO cannot improve the government’s cybersecurity.
“As in past attempts to inject cybersecurity into the federal government from the top down, this can only work if the CISO has the authority to impose change and sanction those people and agencies who fail to change,” said Nick Selby, CEO of law enforcement security company StreetCred Software. “The ‘all-the-responsibility-but-none-of-the-authority’ model has been tried before, and failed quietly.”
Others, like Sascha Meinrath, director for tech policy think tank X-Lab, said simply putting a person in charge of flawed government data collection and retention practices will all but ensure the CISO’s failure.
“Without a fundamental rethink of our information architectures and data collection and retention policies, the incoming CISO is destined to fail to meaningfully improve [US government] cybersecurity,” Mr. Meinrath said. “What’s needed are radical reductions in the amounts of information stored and the amount of time these data are kept on file.”
Instead, he adds, the US government “continues to pursue practices that more and more information, kept for ever-increasing amounts of time, can somehow be made ‘safe’ – which is decidedly a fool’s errand.”
What do you think? VOTE in the readers’ version of the Passcode Influencers Poll.
Passcode gathered more than 130 high-profile security and privacy experts for the Influencers Poll. Click their names below to learn more about them.
Lorrie Faith Cranor
Angela L. Heise
Jane Holl Lute
“Improvement is a low bar.” - Charlie Miller, Uber’s Advanced Technology Center
“In order to be effective, the federal CISO position has to have both responsibility and authority to improve security at federal agencies. A real CISO would first focus on basic security hygiene - which is severely lacking at many government agencies. However, if this position is just yet another talking head about security, no progress will be made.” - John Pescatore, SANS Institute
“While I continue to remain concerned about the lack of independent review of agency budgets, the creation of a federal CISO should help raise the profile of cybersecurity within the Office of Management and Budget and provide a single focus for managing operations across the government. The President’s Cybersecurity National Action Plan and the FY2017 budget proposal both acknowledge the need for more centralization of .gov cybersecurity, which I have long sought and which I believe is essential in the wake of the OPM breach.” - Rep. Jim Langevin (D) of Rhode Island
“Yes - if the CISO is given appropriate authority, including authority to impact agency security budgets.” - Influencer
“Must disrupt everything, as it hasn’t worked in the past. New approaches, new technology and techniques, and a big bully pulpit to lead change. The right person can make a big difference!” - Influencer
“Pick a name from the phonebook and that person could improve the US government’s cybersecurity.” - Marc Rotenberg, Electronic Privacy Information Center
“There is still a lot of immediate action needed. At least one in five government employees does not use two-factor authentication.” - Influencer
“The incoming CISO has a potential role that can be used to educate the public, develop public/private sector cooperation, and promote standards.” - Chuck Brooks, Sutherland Global Services
“Innovative thinking and the building of trust between all actors in leadership in the digital age are crucial to its positive advancement.” - Influencer
“The CISO can focus on a number of areas including changing the culture around security. That is where the executive level emphasis can have impact in the government. Tackling workforce management issues after that would be a steep challenge but improvement is achievable.” - Robert Lee, Dragos Security
“Since the standard or scale of ‘improvement’ is not specified, then yes, if the new CISO updates the security patches of even one USG computer, then the USG’s cybersecurity has been ‘improved.’ It’s hard not to improve something, when you’re starting from such a low base. But, better to light candles than curse the darkness. Hopefully, the new CISO will articulate and formulate cybersecurity standards and policies which will improve the overall security standards of the USG. Hopefully.” - Influencer
“While it is unclear how much authority, budget, support, and direct reports the new position will have, at this point a CISO advocate for the federal government is a good thing. That said the position should be larger in scope, a Federal CSO reporting in parallel with the CIO instead of to the CIO. Many times a CISO reporting to the CIO is like sending lettuce by rabbit.” - Jeff Moss, DEF CON Communications
“Marginally at best.” - Influencer
“Naming a CISO will help unify the civilian government’s approach to cybersecurity.” - Stewart Baker, Steptoe & Johnson
“While the proof will be in the authorities granted to and priorities undertaken by the federal CISO, it is imperative the government lead by example if they expect the private sector to do the same.” - Frank Cilluffo, George Washington University
“Someone need to take oversight and accountability seriously for a change! Which neither USG or Congress have done yet!” - Influencer
“Yes the CISO can improve cybersecurity - but whether he or she actually will is a different question. Like at any major organization, the USG CISO can be effective if the position is empowered and limited if the role is undercut. Time will tell.” - Influencer
“Greater coordination of interagency resources will help drive better risk mitigation.” - Chris Finan, Manifold Security
“Smart people making good decisions in the right places can always make a difference.” - Influencer
“Only if there is massive overhaul of the dilapidated, antiquated procurement, certification and accreditation processes.” - Scott Montgomery, Intel Security
“The Federal CISO will help drive a unified strategy with the help of the Federal CISO Council and the support of the Federal CIO, and will help ensure needs are raised with sufficient energy to garner positive action.” - Influencer
“It would be hard for them not to. Due to the status quo regulatory and budget routine it makes it difficult to take a risk based approach. What the federal government ends up with is least common denominator security.” - Chris Wysopal, Veracode
“Can any single person make a meaningful difference in this massive broken system?” - Influencer
“Without a fundamental rethink of our information architectures and data collection and retention policies, the incoming CISO is destined to fail to meaningfully improve USG cybersecurity. What’s needed are radical reductions in the amounts of information stored and the amount of time these data are kept on file. Instead, the USG continues to pursue practices that more and more information, kept for ever-increasing amounts of time, can somehow be made ‘safe’ – which is decidedly a fool’s errand.” - Sascha Meinrath, X-Lab
“Too little time left in the Obama administration.” - Influencer
“According to the job description, the role has no authority to do anything. The person getting this job will sit in a lot of meetings but that is about it.” - Rick Howard, Palo Alto Networks
“This is tough. Perhaps one person can provide some leadership, but the situation didn’t evolve overnight. Blaming victims of attacks isn’t appropriate, but firing non-performing personnel with security duties almost certainly is, and doesn’t happen anywhere near as much as it probably should in the public sector.” - Influencer
“The CISO’s effectiveness will be based on personality and cooperation. The real problem is the governing structure (CIO Council) which cannot compel compliance.” - Influencer
“The position has insufficient resources, the wrong tools and no real authority. Federal government is too siloed and this does nothing to break down the walls.” - Influencer