“We are operationalizing a lot of these things,” said Schmidt in an exclusive interview with Federal News Radio. “When the decision was made to go to TIC, DNSsec, looking at the Federal Desktop Core Configuration, and looking at some of the other things we are doing to assist intrusion detection and prevention across the government; these are all work that is being done on a regular basis.”
But this lack of public exposure also is leading to the perception that Schmidt’s office and the Office of Management and Budget are less interested in federal agency cybersecurity, especially compared to the focus the Bush administration gave it.
Over the past two years, OMB issued six memos on cybersecurity, including two that just detailed Federal Information Security Management Act (FISMA) guidance, compared to 14 under the Bush administration the previous two years.
Schmidt and others are quick to point out that memos alone are not a measurement of interest or improvement.
Federal and private sector experts, however, say there is a vacuum around leadership of cybersecurity being filled by the National Institute of Standards and Technology and the Homeland Security Department. But NIST and DHS have much less and, in some cases, no authority over agencies.
The experts, who requested anonymity so they could speak more freely about this sensitive topic, said industry and agencies aren’t getting a clear message that cybersecurity is as important as, say, cloud computing or openness and transparency.
Several federal chief information officers and industry executives say they were surprised that federal CIO Vivek Kundra barely mentioned security when he issued his 25-point IT reform plan in December.
At that White House event, only Defense Department CIO Teri Takai brought up cybersecurity, saying the government needs to treat IT security in the same respect as it is focusing on efficiencies and reforms.
Kundra responded to Takai’s statement. “I can’t overstate the importance of security. Our view – it’s vital. It’s baked in. These reforms are targeted about how we manage the $80 billion portfolio. To me, security is part of that DNA. It’s not something that is separate.”
The Obama administration brought a lot of hope around cybersecurity when it first came into office. The President requested a cyberspace policy review report and named Schmidt to be the first cybersecurity advisor in the White House. Schmidt also sits on the National Economic Council to help advise how cybersecurity issues affect the economy.
But over the last 15 months, Schmidt’s focus has been mainly on external issues, including the development of the Strategy for Trusted Identities in Cyberspace, which the President issued April 15, as well as working with the private sector to improve partnership and information sharing.
OMB, meanwhile, has changed FISMA to move to continuous monitoring done by DHS, established blue and red teams at DHS to test agency networks, and issued a memo last July giving DHS more authority and responsibilities over FISMA.
Experts say these are minor things, many of which were in process when the Obama administration came into office.
Just recently, the White House sent draft legislation to agencies for review that would boost DHS’s authorities and responsibilities around civilian agency cybersecurity.
Schmidt would not comment directly on the move to codify DHS’s role in protecting civilian agency networks.
“The existence of any draft or legislative stuff is something, of course, we would be working very closely with our legislative partners and the executive branch on,” he said. “Speculation on what may be out there is not something you and I can be in a good position to discuss right now.”
Schmidt added that DHS’s responsibilities when it comes to protecting the .gov domain and working with the private sector are clear.
“I don’t know if there is any question about that,” he said. “We’ve seen it through memos. We’ve seen it through HSPDs in the past. So, I hear people say that from time to time but the bottom line is there is no lack of clarity when meeting with the CIOs, CISOs and the executive leadership across the agencies. Everyone is clear, that I’ve dealt with, that hears the roles and responsibilities that the departments and agencies have, DHS has, NIST has, and what the EOP does.”
Schmidt also said he doesn’t see or hear the perception that there is a leadership vacuum around cybersecurity.
“When you look at the composition of our office, and the President established it, there were a number of things we are looking at: federal cybersecurity, private sector environment and critical infrastructure, international environment and…the business needs of this thing, what are the economic issues we deal with and workforce development,” he said. “We’ve got the broad brush in our office and that’s the way we operate.”
He added that OMB works very closely with his office and no longer by themselves, like they used to.
“Both Vivek Kundra and myself have met repeatedly with the CIO Council and CISOs. And DHS has been working with them regularly as we move forward on this,” he said. “We continuously are working with the department and agencies to make this more seamless across the .gov environment working with DHS.”
Schmidt said some long-running initiatives are making progress. For instance, under the Domain Name Server (DNS) security effort, which will provide cryptographic protections to DNS communication exchanges thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet, agencies have secured 1,800 domains.
Schmidt said agencies also have completed signing those top level and secondary domains with secure software.
He wasn’t sure how many Internet gateways agencies have secured or closed down under the Trusted Internet Connections (TIC) initiative, but said a high percentage are secured.
“It’s not that we are redoing policy every five days or every month. Once the policy is set then it goes in operational mode and that is the part the CISOs and CIOs are working with DHS to do,” Schmidt said. “I can’t understand why there is this ‘gee, why is there a lack of discussion about this stuff?’ The discussion already has taken place. Now, we are getting from talking about this stuff to getting it done. And that doesn’t involve me going out and meeting with agencies, that’s the people who are doing the day-to-day work and dealing with all of these issues, vulnerabilities and patches and things like that.”
Schmidt said during his first 15 months in the job there have been few real surprises but plenty of areas where things are going well.
“It’s not a matter of having to go in and sell the importance of cybersecurity with departments and agencies,” he said. “Agency deputy secretaries and secretaries are giving this tremendous attention. Everyone gets it and wants to figure out how do we make it better.”
The biggest remaining challenges are around making sure agencies have the tools and understanding to continue to improve their cybersecurity and deal with real-time issues.
Schmidt said another challenge is “dealing with the civilian agencies who for a long time have been responsible for running their own system now have a resource with DHS. And, how do we make sure that scale goes across there.”
“The good news is I’m heartened by the talent that goes into make this more successful but also the support we get,” he said.
(Copyright 2011 by Federal News Radio. All Rights Reserved.)