2011: Cyber Moves to the Action Phase
The cyber world was intensely active this year. To wit:
- On the Hill, two major bipartisan Senate bills – one from the Homeland Security and Government Affairs Committee sponsored by Sens Lieberman and Collins (http://www.gpo.gov/fdsys/pkg/BILLS-111s3480rs/pdf/BILLS-111s3480rs.pdf), and the other from the Commerce Committee sponsored by Sens Rockefeller and Snowe (http://commerce.senate.gov/public/?a=Files.Serve&File_id=29daa3d9-291e-46ce-aba9-f2348f4c0d0d) -- became the core of a consensus drafting process led by Majority Leader Reid.
- In the Administration, DHS took over operational responsibility for civilian agency cybersecurity from OMB (http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-28.pdf), and furthered several initiatives intended to improve readiness in the face of increasingly complex and varied cyber attackers – including the Einstein program to monitor and respond to threats, and a national incident response capability that was tested through a new coordination center. There was also general agreement that spending a the bulk of agency cyber resources on certifying and accrediting IT systems needed to give way to the more operational posture that is created through continuously monitoring systems for actual vulnerabilities and incidents. On the classified side, DoD set up the Cyber Command, a new agency-wide body that is designed to protect and defend US military and intelligence assets in cyberspace; DOD and DHS agreed to coordinate more closely, including exchange of senior cyber personnel (http://www.dhs.gov/xlibrary/assets/20101013-dod-dhs-cyber-moa.pdf).
- Cybercoordinator Howard Schmidt was involved in all of the above, and also focused on industry and international outreach, working with the Commerce Department and DHS.
- The cyber workforce became a major nexus, with the National Institute of Standards and Technology at Commerce taking ownership of the revamped National Initiative on Cybersecurity Education (carrying the interestingly ironic acronym of NICE) (http://csrc.nist.gov/nice), and a private sector body led by former OMB leader for IT and cybersecurity Karen Evans launched a national cybersecurity workforce challenge to train a large cadre of newly skilled professionals (http://www.uscyberchallenge.org).
- And several major international cyber incidents occupied the headlines, above the many, many incidents that were ongoing: “Stuxnet”, which targeted the systems that control critical infrastructures like dams or power grids and had a specific focus on Iran; the Chinese attacks against Google, which led to a change in how the world’s largest search engine plays in the world’s most populous nation; and of course “wikileaks”, which showed that a military private with inside access to the DOD classified network could easily share that information with outside parties who can and have shared visible and valuable intelligence with friends and foes alike.
All of these activities had two things in common – they didn’t end in 2010, and their impact was primarily felt in the cyber world rather than the broader government management community. This year, the Congress may indeed pass legislation, the Administration will progress significantly across civilian and classified initiatives, and the government will continue to increase reliance on online assets (PCs, PDAs, laptops, iPads) -- both in its everyday activities and its migration to “cloud computing”; in turn, this will magnify the impact of cyber incidents, and require a more operational focus to identify and respond properly to those incidents. .
The programs that government managers operate rely on IT systems and computers to function every day. The risks to those programs are growing, and the level of attention on cybersecurity will be felt this year more than ever before by individuals in the public sector who have not really thought a lot about how cyber has become a mission critical element of what they do. The political and geopolitical lens will be directed outward from the cyber world with progress on the above initiatives; it will be incumbent on managers to be aware and informed of why cyber matters to them, what they can do about it, and who they can turn to for help (more on this to come in a future post).