Cybersecurity Expert: Less Talk, More Action

When it comes to cybersecurity, the time for talk is over and the time for action is way overdue, according to one cybersecurity expert. Policies and procedures have been talked to death through books, symposia and even movies. Technical solutions are available, but each is sitting in its own silo where it isn’t likely to be the most effective. And as for information sharing about cyber incidents and threats, not only does it not occur, but the environment isn’t conducive to it.

These are the opinions expressed by Zal Azmi, cybersecurity expert and senior vice president, Cyber Solutions Group, CACI, who also says that in the meantime, cyberthreats continue to grow and most government and industry leaders aren’t putting much thought into a response plan once a cyberattack hits. And it will hit, Azmi states, it is just a matter of time. The indications that he’s correct are the incidents in Estonia and Georgia. He maintains that these were only preludes—the real strike has yet to come.

“What is the action plan? Even though we are standing up the cyberspace organizations—like U.S. Cyber Command, the Navy’s Cyber Fleet and the U.S. Air Force’s 24th Air Force—when are we going to take action?” Azmi asks. While many policies and procedures have been written, there are not enough people working on the implementation. “I say we should think big, start small and scale fast.”

Azmi uses President Obama’s recent approach to deciding what action to take in Afghanistan as an example of how the U.S. government and industry should strategize about ways to protect cyberspace. For six weeks, the president considered the situation, consulted experts, spoke with his top military advisers and chose a deadline for when the plan would be assessed. These are the same tactics that should be employed to create a plan of action against cyberattacks, Azmi recommends.

This plan should include metrics so that at some designated point in time, leaders can measure what’s been accomplished and determine if the plan is working. “So, for example, at the end of 2010, the accomplishments and the plan would be reviewed to determine whether the goals have been met,” he adds. “We are not there. There are plenty of policies, but we don’t have a comprehensive plan.”

Azmi is not convinced that senior U.S. leaders appreciate the seriousness of existing cyberthreats. And while military leaders are willing to call cyberspace the fifth domain, they have not designated a U.S. Defense Department leader to protect it as they have for air, sea, land and space. “There should be one person who is on the same level as Defense Department leaders who designates the roles and responsibilities for protecting cyberspace,” he proposes.

The Clinger-Cohen Act of 1996 and the Federal Information Management Security Act (FISMA) of 2002 were a good start to approaching cybersecurity problems, but they were only “paper exercises,” Azmi states. Although FISMA required agencies to test and account for the security of the information technology in their organizations, little if any testing was done to ensure that the systems were actually secure. That said, Azmi does commend the Government Accountability Office for bringing attention to the cybersecurity issue and following up by publishing which agencies were far below average when it came to securing their systems.

Although the primary issue is the security of cyberspace, another concern is the amount of money being handed over to agencies for information technology security that doesn’t end up being used for that purpose. Azmi relates that oftentimes when an organization runs short of funds in another area, cybersecurity and research and development funds are seen as good places to siphon what is needed to fill the gap. Millions of dollars that were intended to be spent securing cyberspace have been spent on other projects. This must be investigated and stopped, he adds.

Government is not the only entity that has to pull its act together when it comes to cybersecurity. Azmi notes that companies are reluctant to share information about the attacks they’ve suffered because doing so could inadvertently lead to divulging intellectual property or revealing weaknesses in their systems.

To overcome these grounds for information hogging, Azmi recommends that a portal be established where organizations could share information freely about cyberattacks. This information also would be extremely useful to software developers who could use it to patch security holes or offer specific solutions, he notes.