Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/23/2009
09:03 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Former FBI CIO Urges 'Actionable' Cybersecurity Plan

The first step: harden desktops, servers, switches, and routers and the software that runs them via security and management tools, says Zal Azmi.

The former CIO of the Federal Bureau of Investigation wants to see the government develop and implement a comprehensive cybersecurity plan, he said in an interview last week.

Former FBI CIO Zal Azmi's call came only days before the Obama administration named its cybersecurity coordinator.

"Strategically, what we are lacking right now is an actionable game plan," said Azmi, who is now senior VP for government contractor CACI's cyber solutions group. "I have so many studies in my office that you wouldn't believe, but we need to be more focused. We need to put our heads together and get an actual plan going."

There have been a number of government cybersecurity plans put forward over the last several years, including 2004's National Strategy to Secure Cyberspace and 2008's largely classified Comprehensive National Cybersecurity Initiative. The plans have been gutted or otherwise disappeared off the public scene.

Now, the Obama administration, is pushing its own comprehensive plan. In a video posted after his appointment as White House cybersecurity coordinator this week, Howard Schmidt said President Obama had tasked him with creating a comprehensive cybersecurity strategy, which will likely grow out of the administration's 60-day cybersecurity review finalized earlier this year.

Azmi said that the key to any plan is to focus on hardware, software, and people, and to understand that cybersecurity is a risk management effort. "There are things you have control over, and things you don't," he explained.

First, it is important to tackle the things the government has control over by hardening desktops, servers, switches, and routers and the software that runs on those devices via security and managemenet tools, he said.

However, this only goes so far. From the supply chain to insiders, there are any number of IT system elements that agencies have only some control over. For example, Azmi said agencies should have hardware and software digitally signed by manufacturers.

Azmi urged a major effort to encourage public-private partnerships, particularly with the energy and financial sectors. "You're married to so many different networks and so many different ISPs," he noted.

He also said that the government needs to find ways to bring innovative cybersecurity products into the government space. "We need to close the gap between the private sector and the government," he said. "A lot of innovation happens in startups, but they work with the private sector and not the government because the process is so long and these companies don't have the manpower to deal with the government."

Finally, any strategy needs to have the backing not just of a cyber coordinator, but also of a "governing body" that would help the cyber coordinator execute his mission. "Policies and procedures are good, but if they are not enforced, they are worth nothing more than a piece of paper," Azmi said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.