The Bush administration plans to address the demands to advance its cybersecurity policies in the new year, but some critics question whether the administration will go far enough to protect the United States from increasingly sophisticated cyberattacks and security breaches.
The administration's stance is that cybersecurity's moving forward will inherently be part of any new federal government IT initiatives. Others, however, believe the president should create a distinct administrative cybersecurity position within the Homeland Security Department to oversee progress in the federal government and act as a liaison with private industry.
Cybersecurity costs are expected to be factored into all agency budget requests. It's a matter the administration takes seriously enough that the Office of Management and Budget suggests agencies without adequate plans to improve cybersecurity shouldn't move to any new IT projects until cybersecurity is addressed, says Karen Evans, OMB's administrator for E-government and IT.
Entering his second term, President Bush faces a number of challenges to IT-related initiatives such as cybersecurity. Perhaps the greatest challenge is a growing budget deficit projected to reach $521 billion for fiscal 2004. The president has promised to cut the deficit in half within five years, but much of this will depend on a reduction in spending, including a heavy reliance on IT to cut costs.
"This doesn't necessarily mean that IT budgets will be cut," Evans says. "If an agency is properly managing their portfolio, their IT budget might go down because they're achieving the same or better results with the same amount of tax dollars."
While OMB's expectation that each federal agency bake cybersecurity into its budget is a good start, the Cyber Security Industry Alliance is looking for the Bush administration to do more to get private industry to adopt such standards, since private industry owns and operates 90% of the United States' critical infrastructure. The alliance was launched in February by a group of technology providers including Computer Associates, Network Associates, and Symantec.
The Bush administration has laid out a good cybersecurity strategy, says Paul Kurtz, the alliance's executive director and former senior director of critical infrastructure protection for the White House's Homeland Security Council. In a paper published earlier this month, however, the alliance urged Bush in his second term to use his influence to follow through on his National Strategy to Secure Cyberspace, a February 2003 initiative that called for the formation of a national cyberspace response system, a cyberspace security threat- and vulnerability-reduction program, and a cyberspace security-awareness and -training program.
Kurtz acknowledges that the Department of Homeland Security has made some progress regarding cybersecurity, but he still would like to see responsibility for cybersecurity and physical security divided between two assistant secretaries. Robert Liscouski, Homeland Security assistant secretary for infrastructure protection, handles both. "We don't have that senior-level focal point to work with both industry and government on cybersecurity matters," he says.
When Congress earlier this month passed a simplified version of its Intelligence Reform Act after cutting a provision that would have created a high-profile assistant secretary of cybersecurity within Homeland Security, advocates perceived this as a slight to cybersecurity's importance. "Often in this town, what really matters is the authority that comes with one's position," Kurtz says. "There's a lot that goes with such a position; it resonates on the Hill, creating accountability and someone the Hill can go to as a designated spokesman."
Evans says the formal creation of an assistant secretary for cybersecurity position is unnecessary. Any distinct cybersecurity position within Homeland Security is a management issue that should be worked out within the department, she says.
Both Evans and Kurtz agree, however, that the nation's data and IT infrastructure will only be protected through a partnership of government and industry. Such a partnership includes calling on private-sector companies to secure their systems, but also government's willingness to apply successful private-sector cybersecurity initiatives to its own systems, Evans says.
"This is not all on the government's shoulders," Kurtz agrees. "There needs to be a great action on the part of private industry." The Commerce Department should, for example, urge CEOs to review cybersecurity measures during board meeting reviews of business operations, he adds.
Setting aside the debate over the assistant secretary position, Kurtz is optimistic that cybersecurity will improve if the Senate ratifies the Council of Europe's Convention on Cybercrime and the Bush administration can encourage information-security governance in the private sector.
Says Kurtz, "I'm confident that in a second term we'll see more action on these items."