Is Cyber Pearl Harbor Needed for Fed Action?FISMA Author Tom Davis Speaks Out On IT Security Reforms
Former U.S. Rep. Tom Davis hopes not, but he also recognizes that government tends to be reactive, not proactive.
In an interview with the Information Security Media Group, conducted at the Payment Card Industry Security Standards Council community meeting, Davis discusses:
Davis served seven terms in Congress from 1994 until 2008. He wrote the original Federal Information Security Management Act (FISMA) in 2002. A Republican, Davis represented Virginia's Washington suburbs, where many government workers live and government IT and defense contractors have offices. Before becoming chairman of the Government Reform Committee, Davis chaired several subcommittees, including the Subcommittee on Technology and Procurement Policy.
Davis has also served as a co-chair of the Information Technology Working Group, which promotes a better understanding among members of Congress of important issues in the computer and technology industries.
Davis is now director of Federal Government Services at the consultancy Deloitte, and spoke with BankInfoSecurity.com Managing Editor Linda McGlasson.
LINDA McGLASSON: What are the obstacles when it comes to cybersecurity in government?
DAVIS: There are obstacles, and they are institutional. One thing I think that people don't understand is this: You get good people in government - at least they start out that way. I mean, these people come, and they are all bright-eyed and bushy-tailed and ready to work. But the government is designed to be slow and deliberating sometimes. Between slow and deliberate thoughts or dysfunctional is a fine line sometimes in these areas.
You have two different issues with cybersecurity. First of all you have the government systems, and on the government system side somebody ought to take charge and say 'This is the way it is going to be in government.' I think the administration is trying to do this with the Cyber Czar if they can ever get anybody to agree to take it. But the Cyber Czar has to be able to go to each agency and say 'This is the way it is going to be,' and that means talking to the National Intelligence Director. It means talking to your Joint Chiefs of Staff. It means talking to your Homeland Security. And somebody has got to give up authority to do that; they usually don't surrender this voluntarily or easily and particularly in this area where there is so much money -- about $7.5 billion dollars. Now just in cyber, we could go up to $11 billion in five years, I guess. That's a lot of money, and you lose control over it in your agency.
Right now, though, every agency is funded separately. The cyber is not even coordinated in that agency, and nobody is in charge so you have all these people selling all different kinds of packages of information that don't fit.
McGLASSON: When we are talking about naming the cybersecurity "czar," what are your thoughts on why that is taking so long?
DAVIS: Two things. One is, OK, in my case it was like I left (Washington) on top. If I wanted to stay in government, I would have stayed in Congress. I mean, now I would take a huge pay cut to go there. Others who work with me, the same thing. For people who are knowledgeable in this, it is a sacrifice to come into government. So, there is the financial side that makes it hard to get good people. Not impossible, but hard to get good people.
And then secondly, what kind of authority would I have? How many czars are there? What authority am I going to have? He may mean well, but the president can only absorb so many direct reports at one point.
I don't think it is a bad thing, frankly ... The President ought to have advisors he or she wants to be as advisors and not have to worry about the Senate confirming them in every case. So I don't have a problem with that. He has been criticized on that, and I don't think that is fair.
McGLASSON: Since you were one of the two authors of the original FISMA bill, I wanted to hear your thoughts on the work that is being done to reform and change some of the requirements.
DAVIS: I think we are in a different era than we were in 2002, and it needs some upgrading. I would like to see some interest in it. We do know, though, one of the problems with FISMA is it is not designed to be 'check the box.' To a great extent, we make a requirement, and [the agencies] start looking at these things and reporting on what they are doing in these areas. But I think to a great extent you are running the tests and trying to penetrate some of these systems, so you are more results-oriented than procedurally-oriented.
Again, I would like to spend some money out there to have people go after these--try to penetrate these systems. If you are smart, that is what you are doing. How good are we? Hire some company to come in and say 'Can you get in?'
I think you should do that -- we do that with TSA you know. We get people through there all the time, and people are fired all the time and get through stuff all the time. That is the test -- not can they pass some test or something or check some box. We are not known for that. That will tell you really quick where you are. We know, though, the number of penetrations we have had in some of these agencies is scary, and we don't get the "cyber Pearl Harbor" right now, but what we are getting is a lot of intellectual property being lifted, and a lot of confidential information is being lifted up, and we know a lot of it is coming from Russia and China. But you also have a criminal element coming in; you have got the hackers.
There were breaches, and -- this was just carelessness on the census people, for example these handhelds that they are leaving in the back of their cars. Do you know at Deloitte we go through training on this, and we have to pass these tests, and these are tough tests. It is all online. I got through one with a 72, and I was careful. I studied my questions, and I said 'Look, I've graduated with honors from college and I can barely get a passing grade.' But they are serious about this. Because I don't have a trunk in my car -- it's an SUV -- I can't carry my computer home and stop on the way because somebody could look in and see it. It is a violation of policy. We just had one of our people lose it. It was in her car in the backseat, and they took it. That is a violation, and you pay a price for that. The government sends out directives, but they don't preach it, and they don't make you take an online test, and they don't go through this level of awareness training.
McGLASSON: So there is the need for better security awareness within government?
McGLASSON: The VA breach is a great example. That guy was doing his job, trying to be diligent and taking work home.
DAVIS: In the VA situation, it wasn't even encrypted and took them a while -- it took them a year after that before they issued the directive that mandated encryption on this stuff.
But this poor guy, he is going home, he is working at night at home and thinks he is doing the right thing, and [yet] is violating the policy. Had it been encrypted, you could make an argument for him. But it wasn't encrypted. They guys who were stealing these computers were a bunch of teenagers just going through neighborhood homes, and they ordinarily would have gotten away with it, but ... because of this one VA thing, they caught them and they put them all in prison. I guess they stole the wrong computer.
McGLASSON: Your thoughts on the direction that the federal government is taking in terms of shaping national data security legislation. Where do you see that going?
DAVIS: I think first of all the administration has got to give this priority, and they have got to give this a nudge. They have got to do this with purpose; this shouldn't be a partisan issue. But the obstacles are huge, just as I mentioned before. Nothing is easy in government, and the jurisdictional fights alone within the bureaucracy, the executive branch and the legislative branch are tough, so I think what you will get is something modest. But you need an upgrade of FISMA, you need to do some of the things we talked about.
McGLASSON: Will it take a cyber Pearl Harbor to get government action on cybersecurity?
DAVIS: I hope not, but that is traditionally the way government acts. We are getting cyber attacks everyday that are hurting us. I mean it's at 170,000 intrusions in the State Department penetrations. They lock these guys in a room in China and Russia and just go after this stuff, and then you add onto that criminal element, the terrorists, the hackers. It is incredible, and they are more innovative everyday. We are getting better, and so far nobody has gotten in to do the kind of thing you see on the television show 24. Do you ever watch 24, where the planes are crashing and stuff, or they collapse a dam and let all the water go out and flood? I mean, you have the ability to do that. So far it hasn't happened, but we know the potential is there.
McGLASSON: A Hollywood movie script could be written on some of the things that are possible out there.
DAVIS: A real live script could be written on this thing. The best example of that was the situation in Georgia, Russia. You remember the invasion there that they had just attacked Georgia and also attacked the country's computer networks? That's the best example of where it can really hurt you.
If you do this in the right way, you could write a great script about this thing, and nobody knows what is going on. Then everybody is just going to sit around pointing fingers as to what happened, why didn't you have a Cyber Czar, why didn't you do this, or why didn't you do that?
McGLASSON: You will be giving some testimony next month on FISMA. A flavor of what some of that testimony might cover?
DAVIS: Well, I think it is time to take FISMA to the next level, and I will have some suggestions to talk about what they might want to do on that. One of the difficulties from FISMA at the outset was that the agencies get their report card and they sign their certifications each year in terms of where they are, but there is no punishment or reward. And the authorizers who write this stuff are so disjointed from the appropriators in Congress -- they have got to give this some muscle. They have got to make this a priority. There are just too many cooks in this thing, and everybody has got to sit around the table and say this is a problem, let's do it. Right now you have some people saying it's a problem, and some people focused on other items.
McGLASSON: You mentioned the need for more federal funding for cybersecurity research. What is your take on how that should happen?
DAVIS: I think there should be more funding. We need to coordinate more with the private sector, which is way ahead of the game on this. They have had to be. They have had to do this for survival. Your credit card companies, your banks, anybody in those industries has had to do research. They could not afford the risk of failure in these areas because it can bring down a company. It could ruin your reputation. But in government they are saying "I just hope it doesn't happen on my watch, but I have got to fulfill my agency mission first because that is what I get promoted on." So you don't feel the same sort of risk at the federal level, except in defense. I think in the defense area they do get it.
McGLASSON: Your thoughts on what states are doing with data breach legislation and information security requirements? And where you could see that translation happening from state to federal?
DAVIS: I think states are the laboratories of democracy, and it doesn't work as efficiently as you would like it to, but I think as you get together, as industry works with the states, you figure out which states have done it right and which states have done it wrong, and you can probably replicate that over the long-term. And you may eventually see some federal preemption on this, but with tougher standards.
McGLASSON: There are several states, more than 44 of them, that have data breach notification laws. Your opinion about a federal data breach notification law?
DAVIS: Well, I think there is an appropriate state interest on breach notification because I think at that point the consumer is jeopardized, and they need to understand it. I think it is appropriate. Now some of this other stuff, I think, gets overly prescriptive pretty quickly. The private sector at the end of the day has a greater interest in doing this stuff right than the public sector does because economically it hurts them.
The problem with government is that it tends to be that if you wait for a cyber event of major proportions, government will always be reactionary. It is going to be a knee-jerk reaction. They always do it, and that is the problem.