Despite being saddled with significant economic concerns, President Obama-recognizing the significant importance of cyber-security to the nation-ordered a 60-day review of United States information security and the systems that support Critical Infrastructure Protection (CIP)-or in this case, cyber CIP. This call to action recognizes that a failure to implement proper security measures can facilitate internal and external threats to the confidentiality, integrity and availability of the nation's critical infrastructure.
In January 2009, the U.S. Government Accountability Office (GAO) published the GAO-09-271 update to their High-Risk Series report, which outlines federal information and cyber CIP concerns. The report stated that protecting the federal government's information systems and the nation's critical infrastructure is a topline challenge, but this requires resolving deficiencies that have not yet been broadly identified.
The report also stated the importance of fully implementing effective security programs. The following challenges are too important to go unaddressed:
Challenge No. 1: Cyber-security as top-level priority
Earning cross-agency buy-in is critical for managing threats effectively, and for ensuring centralized and controlled access to vital information and systems.
Challenge No. 2: Establishing and implementing consistent security initiatives
Mandating policies can be a complex and daunting task, but with insufficient processes in place to enable full accountability, agencies become susceptible to internal and external threats.
Challenge No. 3: Preventing system disruption
Dynamic and complex technology environments-including virtualized, cloud computing or service-oriented infrastructures-make managing information access extremely difficult, requiring flexible controls and solutions to adapt and prevent interruptions (or worse).
Challenge No. 4: Improving warning capabilities
Access to critical information assets must be monitored and managed intensively in all facets of the organization. Implementing proactive warning systems can circumvent critical incidents, limiting exposure to agency credentials and vital information that can open the agency to extreme governance risks (both inside and outside its walls).
Challenge No. 5: Strengthening incident recovery
While mitigating occurrences is the first line of defense, the ability to recover from incidents quickly without exposing critical information and access needs to be improved upon. When events do arise, privileged information and access are compromised without a disaster recovery plan in place.
Government agencies by their very nature must be unfailingly vigilant in trusting secure information to external and internal resources-if only because the information they control can financially, legally or even physically endanger the public's well-being if it falls into the wrong hands.