5 Predictions on Gov't Infosec in 2013A Bold Forecast? Don't Kid Yourself. This is Government!
A new Congress - the 113th - comes to Washington in January, and the partisan battles [that's right, partisan] over IT security begin anew. But many of the same issues that dominated the cybersecurity debate from Capitol Hill to the state capitals across the nation in 2012 will be mostly the same in 2013.
Some of the players will be new - sort of. Sen. Tom Caper, D-Del., and Rep. Michael McCaul, R-Texas, both active in the cybersecurity matters, will become the chairmen of their respective houses' Homeland Security committees [see New Cybersecurity Leaders in Congress]. But many of the same, familiar names will be back: White House Cybersecurity Coordinator Michael Daniel, Federal CIO Steven VanRoekel, NSA Director Gen. Keith Alexander and President Obama.
Here's my take on how 2013 will shape up:
- Congress will be as dysfunctional in 2013 as it was in 2012. Don't look for an omnibus cybersecurity bill getting through Congress; we haven't had one in over a decade. The divide that turned cybersecurity into a partisan issue, regulation, will keep lawmakers from agreeing on comprehensive legislation. More narrowly focused measures, such as a bill to reform the Federal Information Security Management Act of 2002, which governs federal government IT security, could pass. Aome sticky points remain, though, such as whether there should be a Senate-confirmed cybersecurity official and the role the Department of Homeland Security should perform in overseeing civilian agency cybersecurity.
- Whether Congress codifies a stronger role for DHS in government cybersecurity governance, the department's sway over IT security will continue to expand in the new year, simply because that's what President Obama wants. DHS is muscling up its cybersecurity staff, as exemplified by the hiring of John Streufert, the former State Department chief information security officer, who's credited with implementing highly-praised continuous monitoring and risk assessment programs at State [Building DHS's All-Star Cybersecurity Team].
- The Office of Management and Budget is calling on federal agencies to adopt continuous monitoring, with help from DHS [see Federal Continuous Monitoring Project Unveiled]. Don't expect it to go smoothly in many agencies. The concept of continuous monitoring - regular, automated scrutiny of agencies' IT systems and networks to identify vulnerabilities and patch software - isn't easy to pull off. "That is a tough thing on organization because people inherently resist any new process," says Booz Allen Hamilton's George Schu [see Creating a Continuous Monitoring Culture].
- People, especially privacy rights advocates and civil libertarians, object to the growing influence of the National Security Agency, the electronic, super-spy organization situated in the Defense Department, over civilian cybersecurity. But the NSA's influence will expand in this area in 2013 because of a relative dearth of IT security professionals, not only in government, but everywhere. NSA is recognized as having the most experienced crew of cybersecurity specialists, and that expertise is perceived to be needed to protect the government. Its influence will be camouflaged through its partnership with DHS, which officially will be designated as the lead aency in dealing with the civilian side of the federal government. But DHS can't do its job without NSA's help.
- The breach of South Carolina's tax IT system, in which Social Security numbers and other personally identifiable information of nearly 4 million taxpayers was exposed, is scaring the dickens out a lot of top officials in local and state governments. The breach forced South Carolina Gov. Nikki Haley to take a visible leadership role in addressing the state's IT vulnerabilities. Expect to see more governors and mayors in other states and cities step up to lead IT security initiatives in their jurisdictions [see Silver Lining in South Carolina Tax Hack].
Okay, these aren't the boldest of predictions. But what do you expect? This is government!What's your prognostication for government IT in 2013? Drop me an e-mail at firstname.lastname@example.org, or join the discussion at the GovInfoSecurity Forum on Linkedin or at the GovInfoSecurity Twitter feed.