When it comes to cybersecurity, the time for talk is over and the time for action is way overdue, according to one cybersecurity expert. Policies and procedures have been talked to death through books, symposia and even movies. Technical solutions are available, but each is sitting in its own silo where it isn’t likely to be the most effective. And as for information sharing about cyber incidents and threats, not only does it not occur, but the environment isn’t conducive to it.
These are the opinions expressed by Zal Azmi, cybersecurity expert and senior vice president, Cyber Solutions Group, CACI, who also says that in the meantime, cyberthreats continue to grow and most government and industry leaders aren’t putting much thought into a response plan once a cyberattack hits. And it will hit, Azmi states, it is just a matter of time. The indications that he’s correct are the incidents in
“What is the action plan? Even though we are standing up the cyberspace organizations—like U.S. Cyber Command, the Navy’s Cyber Fleet and the U.S. Air Force’s 24th Air Force—when are we going to take action?” Azmi asks. While many policies and procedures have been written, there are not enough people working on the implementation. “I say we should think big, start small and scale fast.”
Azmi uses President Obama’s recent approach to deciding what action to take in
This plan should include metrics so that at some designated point in time, leaders can measure what’s been accomplished and determine if the plan is working. “So, for example, at the end of 2010, the accomplishments and the plan would be reviewed to determine whether the goals have been met,” he adds. “We are not there. There are plenty of policies, but we don’t have a comprehensive plan.”
Azmi is not convinced that senior
The Clinger-Cohen Act of 1996 and the Federal
Although the primary issue is the security of cyberspace, another concern is the amount of money being handed over to agencies for information technology security that doesn’t end up being used for that purpose. Azmi relates that oftentimes when an organization runs short of funds in another area, cybersecurity and research and development funds are seen as good places to siphon what is needed to fill the gap. Millions of dollars that were intended to be spent securing cyberspace have been spent on other projects. This must be investigated and stopped, he adds.
Government is not the only entity that has to pull its act together when it comes to cybersecurity. Azmi notes that companies are reluctant to share information about the attacks they’ve suffered because doing so could inadvertently lead to divulging intellectual property or revealing weaknesses in their systems.
To overcome these grounds for information hogging, Azmi recommends that a portal be established where organizations could share information freely about cyberattacks. This information also would be extremely useful to software developers who could use it to patch security holes or offer specific solutions, he notes.