Experts fear securing digital infrastructure may be less of a federal priority
White House cybersecurity adviser Howard Schmidt will step down from his post at the end of the month. The move comes only two months after Richard Clarke resigned as special adviser to the president for cyberspace security, shortly after the release of the Bush administration's strategy to secure cyberspace. Security analysts and vendors worry that cybersecurity is less of a priority for the federal government and that there will be no single administration official focused on getting the private and public sectors working together to secure the nation's digital infrastructure.
"It's a revolving door at the top," says Pete Lindstrom, research director at Spire Security. "Is that indicative of the lack of authority of the position?"
The top cybersecurity official in the administration after Schmidt's expected departure will be Robert Liscouski. As assistant secretary of infrastructure protection at the Homeland Security Department, Liscouski has responsibility for securing both the country's physical and digital infrastructures.
Maria Cirino, CEO of security-services firm Guardent Inc., says cybersecurity is unique and critical enough to deserve its own high-level advocate. "Ultimately, this needs dedicated cabinet-level attention," she says. While both Schmidt and Clarke brought attention to the critical issue of securing cyberspace, Cirino would like to see that effort continued with the federal government adding legislative teeth that would force companies to pay more attention to securing their networks. "We see how serious companies affected by [the Health Insurance Portability and Accountability Act] and [Gramm-Leach-Bliley Act] take information security," she says.
Top-level turnover indicates a lack of clout to effect real change, says Spire Security's Lindstrom. "They tried to create a position that held responsibility, but not necessarily any authority," he says. This is the same challenge many chief information security officers face. "Outside of financial services, most CISOs don't have authority to secure specific platforms," Lindstrom says. "They have responsibility for the security, but no authority to put in operational control measures."
The Department of Homeland Security has brought many groups responsible for IT security under its fold. The Critical Infrastructure Assurance Office is now within the Information Analysis and Information Protection Directorate, as is the National Infrastructure Protection Center and the Federal Computer Incident Response Center.
Liscouski is in a good position to coordinate the country's cybersecurity efforts, says Thomas Noonan, chairman, president, and CEO of Internet Security Systems Inc., a security services and software provider. Noonan sits on the National Infrastructure Advisory Committee, which makes recommendations to the president about the security of the nation's information systems. "Schmidt built the momentum, but in the long term, the critical infrastructure is so intertwined with cybersecurity that it's impossible to separate the two," Noonan says.
However, some still wonder about the feds' depth of commitment to securing the country's digital infrastructure. Says Guardent's Cirino: "This high-profile departure, without much information about who will be filling it, has a lot of people worried that cybersecurity is losing focus within the administration."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.