Top federal IT exec: Expanded network security efforts will be done 'in a very transparent way'
The House Committee on Homeland Security held a hearing on Thursday to discuss aspects of the U.S. government's Cyber Initiative, a classified program ordered by President Bush in an effort to boost the security of federal networks and systems. Among the government officials who testified at the hearing was Karen Evans, who serves as the de facto federal CIO in her capacity as administrator of e-government and IT at the White House Office of Management and Budget. In an interview with Computerworld today, Evans discussed the hearing and parts of the Cyber Initiative, including the involvement of the National Security Agency (NSA) and a plan to broaden the use of the government's Einstein network monitoring system and upgrade it by adding real-time threat-detection capabilities. Excerpts follow:
What should people take away from the House hearing? The big takeaway is that the federal government is moving forward in an accelerated way with the Cyber Initiative to ensure that we're properly protecting, and managing the risks associated with, the information we collect. And that we're working to ensure that there is privacy, and we're doing it in a very transparent way. This is really bringing together all the existing efforts [that were already under way] and driving that with very specific deadlines, which I welcome.
When you look at all the initiatives we're doing — like the implementation of IPv6, HSPD-12 [a smart ID card program], Trusted Internet Connections, the activities we're doing under the policy memo from the president's identity theft task force and the [Federal Desktop Core Configuration] — that's a defense-in-depth vision.
In addition to those efforts, is there anything new that's required under the president's directive? The piece that's different is Einstein. Up to this time, Einstein was an optional program for federal agencies. With this initiative, it is no longer an option. Einstein is [a mandatory] part of the solution that sits at an external network connection.
There's another part that will change as well: the [U.S. Computer Emergency Readiness Team] will have more operational capabilities here, so to speak. If any agency isn't doing its part in maintaining everything that it needs to maintain at an external connection, US-CERT will have the ability to block that connection and reroute traffic through another gateway. That isn't [meant] to impact the agency's mission — the missions of the agencies are first and foremost, and that will continue to go on. But if something isn't working right, US-CERT will have the ability to stop it.
It could be patching: Maybe one of the gateways doesn't have all of the patches installed [that it should]. So why would we want that vulnerability to stay up there? We wouldn't. This is all basic networking types of things. There's nothing ominous about it.
What's the goal of expanding the use and capabilities of the Einstein system? It will give us better situational awareness. Einstein will look at IP addresses, headers — that kind of information. We're not going to be reading e-mail or anything of that kind. It works in the same way that any intrusion-detection system does.
What role will the NSA have in all of this? You should think of NSA as a shared service on information assurance. The way that this setup is, we are supposed to capitalize on them. We've always done that. NSA determines security standards, then they hand the standards off to [the National Institute of Standards and Technology]. NIST then takes those in a very public way through its regular standards-setting process. So it's very transparent.
What you do is capitalize off of the people who have the knowledge. In the case of the FDCC, NSA worked on standards through its information assurance program. That was then agreed upon through the Department of Defense. What we did was take those standards and then put them out for public comment. Industry got to review everything that we were doing. There were 700 standards that went public, and now we're using them within the federal government. That's how NSA continues to work with the civilian agencies. That's how it was set up.
What's your message to people who are concerned about the privacy implications of the Cyber Initiative? My [response] to all of them would be that we are by statute required to do privacy impact assessments. We're supposed to take a look at all of the information we collect, and we have to do a system-of-records notice that is required under the Privacy Act. When we put those [notices] out for public comment, they should be looking at those. And even after the privacy impact assessments are publicly available, agencies still continuously take comments based on the information that is out there.
When you go to an agency Web site, you see their privacy notices, because every agency is required to publish that. So I would look through those privacy notices and the privacy impact assessments. Also, we're getting ready to deliver our annual [Federal Information Security Management Act compliance] report to Congress. What we have done is expanded on that, though we weren't required to. We now include a privacy aspect. So we're giving a governmentwide status report on the privacy activities that agencies are engaged in.
computerworld