Ex-cybersecurity chief calls on feds to step up efforts

While progress is being made in the nation's efforts to ensure the security of its cyber assets, a revolution is needed in the federal government's thinking in order to win the "cat and mouse game" with cyber attackers, a former senior cybersecurity official said Wednesday.

"The government doesn't know what its IT assets are," said Amit Yoran, who resigned as director of the Homeland Security Department's cybersecurity division last month. He added that the government is much like large multinational organizations, where cybersecurity awareness does not cut across all divisions.

A recognized private-sector expert, Yoran said he tried to address the problem during his one-year stint at Homeland Security. By the time he left, he said the department had made progress in mapping which of the 127 federal entities are responsible for what parts of the government's cyber assets. His office found that there are 5,700 different "network blocks" across government.

The division also began asking about agencies' Internet exposure in order to understand the risks. But scanning the 5,700 networks for that exposure is "a Herculean effort" and is ongoing, he said. Yoran spoke at a conference sponsored by the Computer Security Institute.

Generally, Yoran said the government's risk assessments appear to be largely based on consultants' reports rather than on an actual examination of the systems. His vision for the government is to use the government-wide knowledge of risks to take more coordinated, effective security steps.

There are "pockets" of top-flight cybersecurity skill within the government, Yoran said, and they need to be pulled together. Doing so will be fundamental to getting buy-in from the private sector, which owns about 80 percent of the nation's critical infrastructure, he added.

Yoran said the future is bright for cybersecurity, especially for making more secure software. "We are still at the very early stages of cybersecurity," he said. A new way of thinking is ushering in the next generation of technologies, and the government needs to be out front in encouraging that transformation, he said.

"We really need to revolutionize how we think about cybersecurity," Yoran said. "In three years time, there will be no definable perimeters on our systems." The typical systems, such as firewalls and intrusion-detection systems, will not be efficient any longer, he predicted.

"You won't be able to protect or own all of the information you are providing to your customers," Yoran said. "In many cases, you won't even be able to identify where the data resides."

Yoran's departure from the division caused concern among industry and in parts of the government that cyber security is not sufficiently high-profile in the government. He declined to comment on how the position should be structured, except to say that there should be sufficient access to senior-level decision-makers and that the person should have solid political skills.

Yoran also said that while there is great experience at Homeland Security in physical security, "the same is not true for cybersecurity."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by eSignLive by VASCO

    Mobile E-Signatures for Government

    Learn 5 key trends that accelerate government demand for mobile signing.

    Download
  • Sponsored by Management Concepts

    SPONSORED: Successful Change Management Practices in the Public Sector

    How governmental agencies implement organizational change management.

    Download
  • Sponsored by Kronos

    Solving the Workforce Compliance Challenge

    Download this eBook to learn how data and automation can help state and local agencies.

    Download

When you download a report, your information may be shared with the underwriters of that document.