The History of Cybersecurity ReformHow Poor Architecture and Lack of Security Prompted Change
"To think about the history here, most people back in the heyday of the web and e-commerce - that 1995 to 2000 period - weren't really building in security in a lot of the web apps," Forman says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
To Forman, the Internet changed the way business was done online, and cybersecurity became a real issue. Prior to recent legislation and reform, security was often built in after systems were put into place. "We've known for years that it's the most expensive way to secure the government, and have started to build in security up-front," he says.
Weaknesses in government infrastructure were known prior to the 9/11 attacks, Forman said. But the day after, members of government started to take action.
"Everybody realized that these weaknesses had to get fixed very quickly, that the unthinkable is suddenly thinkable and the known risks were not only known to us but could be easily and rapidly exploited by the terrorists," he says.
In 2002, the E-Government Act was passed, changing Forman's title to administrator for e-government and IT, a job known today as federal CIO. FISMA, the Federal Information Security Management Act, which also came out of the E-Government Act, replaced the Government Information Security Reform Act.
The purpose of FISMA was to work to fill the gaps that existed in the government's IT infrastructure. "That's pretty much been done," Forman says. "The next wave has to be ... getting away from this kind of patching after the fact."
In an interview with Information Security Media Group, Forman discusses:
- The 9/11 attacks' influence on the way the federal government approached cybersecurity;
- Roles performed by the White House, National Security Agency, Congress and the nascent Department of Homeland Security in securing IT in the months and years following the attacks;
- The legacy of the attacks on cybersecurity a decade later.
Forman was on the job as associate Office of Management and Budget director, the defacto CIO post, for only three months when the 9/11 attacks occurred. With passage in 2002 of the E-Government Act, which included the Federal Information Security Management Act, his title became administrator for e-government and IT, a job known today as federal CIO.
He resigned in August 2003 for the private sector, and now is forming a venture called Government Transaction Services, which will provide a cloud-based tool to help those receiving federal grants comply with government regulations. A former partner at the business consultancy KPMG, Forman worked at Unisys as a vice president of e-business/global public sector and IBM Global Services as principal/global public sector e-business strategy before joining OMB. Prior to those private-sector stints, Forman was a staff member on the Senate Governmental Affairs Committee for seven years.
Forman received a bachelor degree in economics from Ohio State University and a master's degree in applied microeconomics and quantitative methods from the University of Chicago.
9/11's Influence on IT SecurityERIC CHABROW: What was different on Sept. 12, 2001 versus Sept. 10 in the way government approached IT and IT security?
MARK FORMAN: There was a tremendous amount of uncertainty and fear about the potential ways that the federal government would be brought under attack. At the forefront of those were not only physical attacks, but we all knew there were vulnerabilities in IT security. Everything from a denial of service attack to destructing communication networks, destroying lots of data, virtually every kind of bad scenario was on our minds.
CHABROW: Was there an immediate reaction when it came to these IT security concerns that you did? Was there an immediate action, some committees formed or something like that?
FORMAN: A committee was formalized, co-chaired by Dick Clarke who was the cybersecurity adviser put in that role, I think formally no more that four weeks after 9/11. Dick had been very concerned and working on that issue. I think I was in office one day when the memo came across my desk for what at that time was called the Government Information Security Reform Act, ultimately reinvented as FISMA, the Federal Information Security Management Act. By that time, we were just starting to get in the reports, the audits of the initial measures of information security and we knew a lot of agencies had a lot of systems that had just never been built with cybersecurity in mind.
CHABROW: How did the attack serve perhaps as a catalyst to get FISMA enacted? Obviously, you said it was already in motion before the attacks took place.
FORMAN: The 2001 time frame was really the first time, as a result of the Government Information Security Reform Act, what was FISMA's predecessor. It was the first time we had any kind of measurement of security, of cybersecurity, in federal government, and in general we've had about ten to fifteen percent tests on any of the performance metrics. We knew the government wasn't very secure. Dick and others had been saying that this is a real weakness for terrorists. I think the day after 9/11 everybody realized that these weaknesses had to get fixed very quickly, that the unthinkable is suddenly thinkable and the known risks were not only known to us but could be easily and rapidly exploited by the terrorists unless we took real fast action.
E-Government ActCHABROW: The E-Government Act, which includes FISMA, was enacted about a year after the attacks. Do you think it would have happened that quickly if it hadn't been for the attacks?
FORMAN: I think a number of things came together, but I think legislation and reform was pretty inevitable. To think about the history here, most people back in the heyday of the web and E-commerce, that 1995 to 2000 period, weren't really building in security in a lot of the web apps. You think about all the applications that government had running for 25 to 30 years before. When people built security it was usually around mainframe and financial systems. The Internet really changed the way much of business was done, and cybersecurity was a threat that came up after a lot of that worked in terms of architecting those apps that had been done, so it never had been built in.
Really what we found out was finally some measure of how insecure things were. FISMA was about really prioritizing and fixing those gaps. That's pretty much been done. They've been patched and bandaged so there are marginal returns to that. The next wave has to be, as we continue to modernize and leverage in new technology with the government, getting away from this kind of patching after the fact. We've known for years that it's the most expensive way to secure the government, and have started to build in security up-front. We look at a platform as a service or software as a service, infrastructure as a service. We have different security paradigms and scenarios that we can play out and have done right. The focus should be to get a lot more security "bang for the buck" than the old way of going back and re-patching and bandaging as best as possible.
Department of Homeland SecurityCHABROW: Another big impact of 9/11 on IT security was the creation of the Department of Homeland Security in November of 2002. What impact did the creation of DHS have on how the federal government governed IT security?
FORMAN: I'm not sure that it had a big impact, to be quite honest. There's a huge debate raging about whether Homeland Security should control. OMB has always been at the forefront of adjudicating the risk paradigm, and the risk paradigm for government has a couple of unique features. First of all, you can make things totally secure and shut down the government because none of the business processes or transactions can work at the speed the government needs. OMB has always served working with NIST and NSA to try to get that right balance and that's why the whole approach is risk-based. There's a way to do that trade-off between the amount of security and risk of the process and time limits, the speed and quality of getting the data versus the process of non-existing because somebody picked it out in a cyber attack.
The other unique element of this is privacy, because the government really does have so much information on citizens and put in the wrong hands you have the real risk. As far as behavior, I think we saw that going back in America's history but luckily we haven't seen it since. Still, OMB acts to adjudicate behind the scenes. Nobody really sees them.
One of the interesting things I think coming out of 9/11 was the shift with respect to that privacy approach. Rather than putting civil liberties way in front of cyber, the security of the information or the use of the information in current terrorism created a new variable in the discussion. Now Homeland Security combined a couple key elements of that in the department. One was for years the Commerce Department had been in place to work with industries on their cybersecurity and NSA had pretty much not been visibly involved.
After 9/11 it became clear that there were much greater vulnerabilities and the risk of the loss of an industry to a cyber attack versus concerns over privacy shifted. By moving that into DHS I think we've got a greater focus on the protection of certain industries.
Another key element of that is something that many people don't realize exists called the National Communication System, and this actually dates back to the Telecom Act of 1928. It's almost a century-old set of laws. Basically during the Cold War there was a need to maintain telecommunications and so a group was set up. Eventually it ended up over at what had been the Defense Information System Agency and then that group pulled out of there and was put into part of Homeland Security as part of the infrastructure protection group. You get a much greater focus on cybersecurity in relationship to the economy right after the aftermath of 9/11.
Since then, the President's current strategy I think is to go further. FISMA put the e-gov administrator and the Deputy Director for Management and Director of Management of OMB in charge of cybersecurity and accountable for it to the extent that if you lie to Congress you go to jail. It was one of my greatest fears because it seems I was testifying every month on that for Congress and the administration is basically taking that away from the CIO now and moving it over to DHS. That's really hard for other federal agencies to have one federal agency oversee another federal agency. It's going to be very interesting to see bureaucratically how successful that becomes.
9/11's LegacyCHABROW: What legacies today should people be thinking about from 9/11 as it relates to IT security?
FORMAN: That the unthinkable can happen. If you know an attack is remotely viable and you know somebody has motive to execute that attack, you've got to be prepared to find it or prevent it all-together. The interesting thing about cybersecurity is it may be tough to prevent all kinds of attacks. It's always cheaper to build the cybersecurity framework in up-front than to patch it at the back-end.
CHABROW: Do you feel that the federal government IT is more secure today from potential attacks than it was on Sept. 11, 2001?
FORMAN: Measurably so. As a result of 9/11, by the end of September we've had an awful lot of reports on who was secure and who wasn't. We spent a lot of money and allocated a lot of money for the agencies. That's one of the advantages of having that - call them a CIO, call them an associate director, call them an administrator. The senior IT person being at OMB gets control over the money. Having them report directly to the President maybe means a lot in the commercial world, but it means nothing in the government because the controlled money rests with the OMB and you've got to be there if you're going to really have an impact. We allocated a lot of money to one department to fix their cybersecurity. The next fiscal year rolled around, and as you know the next fiscal year starts in October. Not too far after 9/11 the CFO there said, "This was a fad for OMB. They're not going to worry about it. Let's spend it on something else." We almost had that guy fired because me and the other folks understood that cybersecurity was very important to the President simply because they didn't realize. I think a lot of people outside of IT didn't realize the implication of not fixing their environment or their applications.