He says, for the most part, he thinks Congress is doing well when it comes to funding, but a deeper conversation is probably needed.
“Probably at an intuitive level, I think people understand what the potential threats are, and I think recent events over the past couple of years — Google [and] China, or the cyber activity that hit Estonia or Georgia during the Russia/Georgia crisis — those, I would say, events, certainly brought forward what those of us in the industry have been seeing in the background all the time.”
Since these incidents gained the attention of those outside of the IT industry, Amir says Congress overall does understand why cybersecurity is important and should be funded. The amount of that funding, though, and where it goes is often not as well defined.
“I have less confidence in that just because . . . this is a very technical and highly complex field, which is not to say that that is not something that can be addressed at a political level, but given that it’s really just grown in such a short period of time, the necessary skill set that is required to not only understand, but then explain and ultimately make policy in this area just hasn’t been developed.”
When laws like FISMA were passed at the beginning of the last decade, both the understanding of the problem and its nature were different. Amir says this is why the Comprehensive National Cybersecurity Initiative was put in place. He adds that it’s a start to giving the agencies what they need to stay safe.
“[Its goal is to] look at the problem from a — as the name says — comprehensive standpoint, as opposed to just a checkbox standpoint. I go back, of course, to the point that a lot of these programs that ultimately are part of the implementation are quite technical. As a result, I don’t thinnk that there is necessarily the expertise yet to assess and evaluate them. . . . I will say, though, that does not seem to have stopped the funding. What I sense is going on is that there is probably a healthy trust of the subject matter experts that reside in the agencies and industry that are consulting and kind of trying to bring up to speed the policy makers as they try to balance the fact that they want to fund these programs without necessarily understanding all the technical aspects.”
Right now, though, agencies aren’t completely secure, and the Internet itself can still pose a grave risk to ordinary citizens if the right circumstances arise. The federal government, Amir says, is seen as a national asset and the role of government in its protection is one of the central debates in the cybersecurity community.
“The Internet has been a network that has been built up by private industry. It has now become an integral part of the workings of the country. So, five or six years ago, if a private company was attacked, it would be that company’s problem. Today, depending on what that private company is — let’s say a major oil company or financial institution — we would look at that and say that is a threat to our national security. Much in the same way that we don’t privatize the physical world, and we rely on the federal government or state government or government in general, to provide security at a acceptable level in the infrastructure, the thought is that same model should apply to cyberspace.”
Does this mean that agency CIOs now have to prepare for battle, not just in terms of defending their own turf, but when it comes to the broader public? Amir says the role of the federal CIO might one day expand to include monitoring the private sector, but a lot of questions must be answered first.
“What happens to privacy? How do the public and private sectors work together? Who develops the authorities, and how do these authorities develop for what the government can do in an attack? Simple questions like . . . should the President have a red button to turn off the Internet. Whether or not that technically makes sense, certainly the concept of the government having the ability to control traffic and control certain aspects of the network by virtue of the authority of the government is a legitimate question.”
He adds that answering these questions and having a real debate could go a long way toward helping both the public and private sectors allocate resources and dollars for various projects.