If "Enemy of the State" or "Live Free or Die Hard" taught us anything, it is that the federal government and cybersecurity is not always a match made in heaven. That may change, however, with the recent publishing of "The Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance."
Leave it to the federal government to come up with a catchy title, but where's the acronym? A collection of federal government security organizations recently unveiled the list of the top twenty actions they say the government can use to effectively improve computer security, and the list is nothing if not comprehensive.
Technology news site CNet recently reported that the list was compiled by agencies such as the NSA and US-CERT, as well as the private security training group the SANS Institute. The list, also referred to as the Consensus Audit Guidelines (CAG), covers all the cyber-security bases. Everything from forming an inventory of authorized and unauthorized hardware and software to data leakage protection is covered by the CAG in the manner of a sort of checklist of government IT professionals looking to bolster security for their organizations.
According to a press release, the CAG was initiated in 2008 "as a response to the extreme data losses experienced by leading companies in the US defense industrial base (DIB)." After some preliminary research, it was determined that many of the threats facing the DIB were identical to those faced by federal government agencies. At that point the project's scope grew exponentially as more and more federal entities became involved. Suddenly cybersecurity was the buzzword of the moment in federal technology circles, replacing the old buzzword "Warcraft." We kid, we kid.
Speaking with CNET's British sister site ZDNet regarding the CAG, SANS Institute Director Alan Paller said that the CAG's recommendations would result in "a complete revolution in federal and business cybersecurity." "I do not know of anything going on in security that will have the impact this initiative can have," Paller told ZDNet. "If the nation cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."
So what's next? According to the CAG a six point effort has been put in place to publicly review the CAG's findings, implement pilot programs of the recommendations, reviews by the CIO and Inspector General, a series of workshops for federal technology professionals, and finally something called a "global validation" where the CAG will be closely compared to other cybersecurity modules such as ISO 2700x.
The touting of the CAG's importance does not begin and end with Paller. CAG project leader John Gilligan, formerly chief information officer for the U.S. Air Force and the Department of Energy, spoke with reporters last week saying: "We are in a war, a cyber war, and the federal government is one of many large organizations that are being targeted." Apparently William Shatner was being pretty darn prescient when he wrote "Tek War" back in the ‘80's, who knew?
All nerd ridicule aside, the claims of Paller and Gilligan are not ones that should be taken lightly. Events such as the recent hack of USAJobs.com have reminded us that government operations are not immune to the threat of cyberterrorism, even if that threat is sometimes overstated. Recent debacles ranging from the economic crisis to the Madoff scandal show that the greatest threats to the country's stability don't always come in the form of explosions and carnage. They are sometimes more subtly destructive.
The thirty-day review period of the CAG's findings are critical to its full implementation by the federal government, but one would suspect that no one in the government will want to be the one accountable in the case of an emergency if the recommendations are not adopted. This is definitely one to keep an eye on.
OhMyGov! Related Stories:
Get our Newsletter!Click here to sign up and stay informed