Lessons in Cybersecurity: What I Learned at RSA
The RSA Conference (http://www.rsaconference.com/2011/usa) hosts the leadership and a large swath of the membership of the cybersecurity world. Key figures speak at plenary sessions, including White House Cybersecurity Coordinator Howard Schmidt, Cyber Command Director Keith Alexander, Deputy Secretary of Defense Bill Lynn, DHS Deputy Under Secretary Phil Reitinger, and NIST Director Pat Gallagher. A much larger number participate in panel sessions and informal discussions. I moderated a panel around the challenges that security and privacy bring to Open Government, which included Dave McClure, GSA Associate Administrator for Citizen Services and Innovative Technology; Ari Schwartz, Senior Internet Policy Advisor for NIST, and Mary Ellen Callahan, DHS Chief Privacy Officer.
A theme that cut across just about all the sessions was the key linkage between cybersecurity and business imperatives. No longer is cyber seen as something separate from business operations; with the growth of IT and the Internet as key enablers for most every commercial and government activity, securing the systems and data that power those activities is something that every manager must pay attention to. Cybersecurity is part of the fabric of commerce where cyberspace now equals (and may soon exceed) the physical world as a conduit for economic activity. I previously blogged on this with regard to legislation and policy at the Federal level. The lessons from RSA reinforced and strengthened this imperative.
A few highlights from the conference demonstrate this connection:
- Deputy Secretary Lynn clearly articulated why cyber is now a mission critical defense domain (though not a military-only mission) – protecting the nation’s military and intelligence networks is a key element to the defense posture of the nation. The establishment of the Cyber Command as a major DOD command function this year demonstrates this commitment.
- Cyber Coordinator Schmidt, Deputy Under Secretary Reitinger, and Director Gallagher sounded a similar theme in protecting civilian government and critical commercial infrastructure systems, and leading a national effort to incent the private sector to step up protection that supports innovation and business growth. Securing key assets is necessary for those assets to operate quickly and effectively, in government and the private sector. DHS and NIST are leading numerous efforts that matter for all of us, not just cyber professionals – the “Stop-Click-Connect” initiative that DHS has adapted (http://www.dhs.gov/files/events/stop-think-connect.shtm) is an example of how government managers can contribute to strengthening cybersecurity in small but important ways as part of their jobs.
- One panel I attended spoke to making a business case for cybersecurity by starting with understanding business needs, and tying cyber metrics to meeting those needs, and measuring costs and benefits from implementing cyber measures to enable the business.
- Another panel talked about cybersecurity and the “smart grid”. With IT and the internet now vital connection points for utilities, home appliance, transportation, and telecommunications, building security into the way that we live our daily lives will create a resiliency that helps to mitigate problems that often arise when basic functions are interrupted due to disruptions – including common power outages as well as cyber attacks and viruses that can harm critical infrastructures.
- Much discussion centered around making sure that individuals who access government and commercial networks are trustworthy through good authentication. Government managers would not want to risk the integrity of their programs by letting unauthorized persons in who could do harm through theft, espionage, or service disruption; these threats are very real in cyberspace, and current behaviors around passwords used by all of us, every day, create vulnerabilities that can be exploited without additional protection. The National Strategy for Trusted Identities in Cyberspace (NSTIC) (initial draft at http://www.dhs.gov/xlibrary/assets/ns_tic.pdf) is a major program led by Commerce, with strong White House oversight, to make sure that agencies (and private sector entities) focus on this as part of their daily business activities.
- Finally, the panel that I led talked about how the business of government is more than ever powered through making government information transparent and accessible to individuals who interact with agencies, but that protecting that information is paramount to the long-term success of transparency. Dave McClure coined the term “disclosure management” – meaning that open government requires managing the release of usable information that is easy to access, while at the same time managing the systems and data to provide for security and privacy. To make Open Government a lasting part of program operations for government managers, all 3 elements are needed.
So – another successful RSA (this is the 20th anniversary of the conference), and many more reasons why cybersecurity isn’t just for security experts any more!