Cybersecurity Expert: Less Talk, More Action

Deember 2009
by Maryann Lawlor
E-mail About the Author

When it comes to cybersecurity, the time for talk is over and the time for action is way overdue, according to one cybersecurity expert. Policies and procedures have been talked to death through books, symposia and even movies. Technical solutions are available, but each is sitting in its own silo where it isn’t likely to be the most effective. And as for information sharing about cyber incidents and threats, not only does it not occur, but the environment isn’t conducive to it.

These are the opinions expressed by Zal Azmi, cybersecurity expert and senior vice president, Cyber Solutions Group, CACI, who also says that in the meantime, cyberthreats continue to grow and most government and industry leaders aren’t putting much thought into a response plan once a cyberattack hits. And it will hit, Azmi states, it is just a matter of time. The indications that he’s correct are the incidents in Estonia and Georgia. He maintains that these were only preludes—the real strike has yet to come.

“What is the action plan? Even though we are standing up the cyberspace organizations—like U.S. Cyber Command, the Navy’s Cyber Fleet and the U.S. Air Force’s 24th Air Force—when are we going to take action?” Azmi asks. While many policies and procedures have been written, there are not enough people working on the implementation. “I say we should think big, start small and scale fast.”

Azmi uses President Obama’s recent approach to deciding what action to take in Afghanistan as an example of how the U.S. government and industry should strategize about ways to protect cyberspace. For six weeks, the president considered the situation, consulted experts, spoke with his top military advisers and chose a deadline for when the plan would be assessed. These are the same tactics that should be employed to create a plan of action against cyberattacks, Azmi recommends.

This plan should include metrics so that at some designated point in time, leaders can measure what’s been accomplished and determine if the plan is working. “So, for example, at the end of 2010, the accomplishments and the plan would be reviewed to determine whether the goals have been met,” he adds. “We are not there. There are plenty of policies, but we don’t have a comprehensive plan.”

Azmi is not convinced that senior U.S. leaders appreciate the seriousness of existing cyberthreats. And while military leaders are willing to call cyberspace the fifth domain, they have not designated a U.S. Defense Department leader to protect it as they have for air, sea, land and space. “There should be one person who is on the same level as Defense Department leaders who designates the roles and responsibilities for protecting cyberspace,” he proposes.

The Clinger-Cohen Act of 1996 and the Federal Information Management Security Act (FISMA) of 2002 were a good start to approaching cybersecurity problems, but they were only “paper exercises,” Azmi states. Although FISMA required agencies to test and account for the security of the information technology in their organizations, little if any testing was done to ensure that the systems were actually secure. That said, Azmi does commend the Government Accountability Office for bringing attention to the cybersecurity issue and following up by publishing which agencies were far below average when it came to securing their systems.

Although the primary issue is the security of cyberspace, another concern is the amount of money being handed over to agencies for information technology security that doesn’t end up being used for that purpose. Azmi relates that oftentimes when an organization runs short of funds in another area, cybersecurity and research and development funds are seen as good places to siphon what is needed to fill the gap. Millions of dollars that were intended to be spent securing cyberspace have been spent on other projects. This must be investigated and stopped, he adds.

Government is not the only entity that has to pull its act together when it comes to cybersecurity. Azmi notes that companies are reluctant to share information about the attacks they’ve suffered because doing so could inadvertently lead to divulging intellectual property or revealing weaknesses in their systems.

To overcome these grounds for information hogging, Azmi recommends that a portal be established where organizations could share information freely about cyberattacks. This information also would be extremely useful to software developers who could use it to patch security holes or offer specific solutions, he notes.

Share Your Thoughts:

Susan, I agree with you. I'm trying to get an interview with Mr. Schmidt so I can see what he thinks now that he's in a position to do something significant. Wish me luck!

Maryann....just show him the GEN Cartwright article...that should put you in. If not, tell him you are going to interview Melissa Hathaway instead....(I probably should not say that here...).
All I know is, we are losing this 'cyber war' in that we have so many different 'opinions' about cyber space and security and information sharing, that we continue to spend a lot of time, money and effort and seem to continually end up back in the same place. We need to reassess as we did in our wars' in Iraq and Afghanistan and try something new...what we have been doing is not marshalling all the smart minds.
Good luck!
And, can this comment page add a spell checker...I just noticed I mispelled in my last post and probably mispelled something here too...Hope to see you at the next Solutions Series.

Thanks so much for the tip, Susan. Showing him the Gen. Cartwright article never occurred to me! As for the spell checker, for some reason, my comments have spell-check. Our new media editor says it's my browser. That said, I'm going to put in a request with our IT department. That's a great idea!!