There’s been much discussion of late regarding the perceived lack of expediency by federal agencies to identify and prioritize critical cyber infrastructure needs. The Department of Homeland Security’s National Center for Critical Information Processing and Storage (NCCIPS) is sanctioned to host departmental applications and handle network connectivity, disaster recovery and critical data storage. Despite Congress approving $97.3 million in funding for NCCIPS for fiscal 2008, the migration of IT systems to the national center is reportedly moving slowly.
There are genuine concerns in not seeing good progression with this initiative, including an inability for agencies to feel confident that future security purchases will meet the formal compliance regulations that come from NCCIPS. Moreover, companies will be more hesitant in working with government agencies until future technical requirements are outlined.
But finger pointing is not the answer here, and coordinating, implementing and managing cyber security assets should not be the sole responsibility of NCCIPS. Corporate America has the duty and the expertise to be a key asset in protecting government IT systems. President Bush’s $6 billion request to combat cyber terrorism is a virtual call to arms to all businesses and organizations to do just that. It’s a matter of being part of the solution or part of the problem.
Summiting all participants
To expedite involvement, government agencies and prime contractors should call for a cyber security summit, designed to help identify and prioritize the apparently elusive critical security infrastructure needs. Corporations who do such work already hold clearances for their government contracts, so keeping discussions confidential is very doable.
Involvement should come in all forms, including agencies, non-profits, security product manufacturers/service providers, system integrators and assessors. Priorities should also be outlined in terms of the type of cyber threat – be it active or passive in nature.
Discussions should also include how current security policies and practices are impacting how well an agency’s network environment is able to protect both its information and employees. For example, organizations that fail to institute anonymous surfing practices when their staff members use the Internet for official business may unintentionally disclose their operating system, browser version, physical address and other sensitive information. Adversaries can use this information to uncover a government organization’s confidential plans and jeopardize their entire operation. Additionally, once an enemy knows an agency’s IP address, they can start scanning and attacking its network directly, endangering the organization’s data and infrastructure. Addressing these kinds of practices during the summit will put any conversation about the technical aspects of a network’s security architecture in perspective.
Risks and rewards should be shared by all
Corporate America should not only be willing to participate in such discussions, but also share in the responsibilities for its implementation. It is not enough for organizations to simply share their viewpoint, but they must also be ready to help in delivering solutions that improve the federal government’s security posture.
Sharing in the risks will bring with it ample rewards. In addition to solving this specific initiative, contractors and agencies will lay a solid foundation to identify other needs and solutions. This new partnership will open both opportunities and budgets, which making the associated operations efficient in both design and execution.
Information assurance at work
The level and sophistication of growing online threats and attacks highlight the imminent need for government agencies to coordinate and implement comprehensive information assurance practices with one another. But the responsibility must be one that is shared with the business community, who wrestle with these issues on a daily basis. Only by forging an alliance of corporate and government leaders will the United States see significant progress that guarantees the integrity of the both information gathered and stored against confidential leakage or counter-intelligence from adversaries.