FOSE: Former FBI Chief Says Government IT Security Too Siloed

Addressing a packed audience in the morning keynote session Thursday, former Federal Bureau of Investigation Director Louis Freeh said the only way IT security in government is going to keep pace with sophisticated security threats was by a "three-legged stool" approach combining the private sector, government cooperation and innovation that's not about playing catch-up, but rather anticipating what's coming next.

"Cybersecurity has grown, and there are strong centers of expertise in the FBI, NSA [National Security Agency] and other places," Freeh said. "But these have to be centers of expertise that interface in efficient and practical ways. And there seems to be a lot of difficulty in cooperation between the private and public sectors."

Freeh said that the resignation, on March 9, of Rod Beckstrom as director of the National Cyber Security Center (NCSC) was indicative of a bigger problem. Beckstrom's complaint, suggested in his resignation letter to Department of Homeland Security Secretary Janet Napolitano, was that his agency's hands were tied because of a lack of support from NSA. (DHS on Thursday appointed a Microsoft veteran, Philip Reitlinger, Redmond's chief trustworthy infrastructure strategist, to be the NCSC's new director.)

"It's true that NSA does dominate most national cybersecurity efforts," Freeh said. "Is the military going to continue to be responsible or is it time to stand up to an independent civilian facility, too? This problem is too large to relegate it to a bureaucratic pigeonhole. The federal government isn't capable of running it on their own, and there needs to be a long-term plan."

FOSE runs concurrently with the U.S. Law Conference & Exposition, and also GovSec, the Government Security Expo & Conference, whose breakout sessions, which kicked off Wednesday, focused on everything from the confluence of physical and cybersecurity to interoperability among response agencies and rethinking levels of security clearance.

Security vendors as disparate as Astaro, Blue Coat Systems, Check Point Software Technologies, MXI Security, Graybar, Omnitron and Dell were on hand with what they saw as the latest in threat-management and prevention measures.

But both Freeh and others at FOSE suggested that, like most other transformational aspects of government IT, transforming security requires rethinking the entire approach -- and getting away from putting bandages on different aspects of security, especially with the government finally starting to embrace virtualization and cloud computing.

"There are too many point products, and too many [security] vendors," suggested Joshua Corman, principal strategist at IBM, in an interview following his Wednesday afternoon presentation, "The Virtual Reality: Securely Embracing Virtualization."

For many organizations, Corman said, security accounts for 10 percent to 12 percent of IT spends, and "that was before the economy tanked."

"We're training in silos, but we're beset on all sides. People don't really know what they should be doing," he said.

Corman argued that understanding the level of IT security threats in 2009 and beyond means understanding what "beset on all sides" means.

To Corman, there are five challenges facing organizations: compliance issues, innovation (or a lack thereof), the effects of the global economy, the ability to be flexible and the more sophisticated nature of evolving threats, whereby "the bad guys" are now as much about profit and politics as they are about prestige, Corman said.

"How much security spend is going to just compliance? In a down economy, the risk is spending on compliance and nothing else," he said. "The security industry has it backwards: Many of the old-guard professionals are saying here's a widget, and you need to organize your business around it."

Of the five challenges mentioned, Corman suggested most IT security vendors are good at only one or two.

"But you have to sell for all five," he said. "We have to transcend from point solutions in this business. You buy a car, not a carburetor and some brakes."