Experts fear securing digital infrastructure may be less of a federal priority
White House cybersecurity adviser Howard Schmidt will step down from his post at the end of the month. The move comes only two months after Richard Clarke resigned as special adviser to the president for cyberspace security, shortly after the release of the Bush administration's strategy to secure cyberspace. Security analysts and vendors worry that cybersecurity is less of a priority for the federal government and that there will be no single administration official focused on getting the private and public sectors working together to secure the nation's digital infrastructure.
"It's a revolving door at the top," says Pete Lindstrom, research director at Spire Security. "Is that indicative of the lack of authority of the position?"
The top cybersecurity official in the administration after Schmidt's expected departure will be Robert Liscouski. As assistant secretary of infrastructure protection at the Homeland Security Department, Liscouski has responsibility for securing both the country's physical and digital infrastructures.
Maria Cirino, CEO of security-services firm Guardent Inc., says cybersecurity is unique and critical enough to deserve its own high-level advocate. "Ultimately, this needs dedicated cabinet-level attention," she says. While both Schmidt and Clarke brought attention to the critical issue of securing cyberspace, Cirino would like to see that effort continued with the federal government adding legislative teeth that would force companies to pay more attention to securing their networks. "We see how serious companies affected by [the Health Insurance Portability and Accountability Act] and [Gramm-Leach-Bliley Act] take information security," she says.
Top-level turnover indicates a lack of clout to effect real change, says Spire Security's Lindstrom. "They tried to create a position that held responsibility, but not necessarily any authority," he says. This is the same challenge many chief information security officers face. "Outside of financial services, most CISOs don't have authority to secure specific platforms," Lindstrom says. "They have responsibility for the security, but no authority to put in operational control measures."
The Department of Homeland Security has brought many groups responsible for IT security under its fold. The Critical Infrastructure Assurance Office is now within the Information Analysis and Information Protection Directorate, as is the National Infrastructure Protection Center and the Federal Computer Incident Response Center.
Liscouski is in a good position to coordinate the country's cybersecurity efforts, says Thomas Noonan, chairman, president, and CEO of Internet Security Systems Inc., a security services and software provider. Noonan sits on the National Infrastructure Advisory Committee, which makes recommendations to the president about the security of the nation's information systems. "Schmidt built the momentum, but in the long term, the critical infrastructure is so intertwined with cybersecurity that it's impossible to separate the two," Noonan says.
However, some still wonder about the feds' depth of commitment to securing the country's digital infrastructure. Says Guardent's Cirino: "This high-profile departure, without much information about who will be filling it, has a lot of people worried that cybersecurity is losing focus within the administration."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.