Former FBI CIO Zal Azmi's call came only days before the Obama administration named its cybersecurity coordinator.
"Strategically, what we are lacking right now is an actionable game plan," said Azmi, who is now senior VP for government contractor CACI's cyber solutions group. "I have so many studies in my office that you wouldn't believe, but we need to be more focused. We need to put our heads together and get an actual plan going."
There have been a number of government cybersecurity plans put forward over the last several years, including 2004's National Strategy to Secure Cyberspace and 2008's largely classified Comprehensive National Cybersecurity Initiative. The plans have been gutted or otherwise disappeared off the public scene.
Now, the Obama administration, is pushing its own comprehensive plan. In a video posted after his appointment as White House cybersecurity coordinator this week, Howard Schmidt said President Obama had tasked him with creating a comprehensive cybersecurity strategy, which will likely grow out of the administration's 60-day cybersecurity review finalized earlier this year.
Azmi said that the key to any plan is to focus on hardware, software, and people, and to understand that cybersecurity is a risk management effort. "There are things you have control over, and things you don't," he explained.
First, it is important to tackle the things the government has control over by hardening desktops, servers, switches, and routers and the software that runs on those devices via security and managemenet tools, he said.
However, this only goes so far. From the supply chain to insiders, there are any number of IT system elements that agencies have only some control over. For example, Azmi said agencies should have hardware and software digitally signed by manufacturers.
Azmi urged a major effort to encourage public-private partnerships, particularly with the energy and financial sectors. "You're married to so many different networks and so many different ISPs," he noted.
He also said that the government needs to find ways to bring innovative cybersecurity products into the government space. "We need to close the gap between the private sector and the government," he said. "A lot of innovation happens in startups, but they work with the private sector and not the government because the process is so long and these companies don't have the manpower to deal with the government."
Finally, any strategy needs to have the backing not just of a cyber coordinator, but also of a "governing body" that would help the cyber coordinator execute his mission. "Policies and procedures are good, but if they are not enforced, they are worth nothing more than a piece of paper," Azmi said.