by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : November 2013
CYBEREYE BY WILLIAM JACKSON FEDERAL EFFORTS to create cybersecurity frameworks for government and for critical private infrastructures have had an impact on internation- al views about cybersecurity, says J. Paul Nicholas, Micro- soft s senior director of global security and diplomacy. "When I meet with custom- ers in other parts of the world, it always surprises me how much they know about FISMA and FedRAMP," Nicholas said, referring to the Federal Infor- mation Security Management Act and the Federal Risk and Authorization Management Program. But there still is no common template for cyber policies, and various international development e orts are pro- gressing separately. In the United States, the National Institute of Standards and Technology is creating the Cybersecurity Framework, a set of voluntary security rec- ommendations for critical in- frastructure. Across the ocean, the European Commission is creating the Network and In- formation Security Platform. And as nations develop strate- gies for securing their cyber environments, there is a risk that unaligned policies could create a fragmented or poorly secured global infrastructure. Some di erences among na- tional policies are inevitable, Nicholas said. "Cybersecurity is going to vary country by country," because each nation faces a unique set of risks and has its own needs. To help create a common founda- tion on which policies can work together, Microsoft has produced a whitepaper, "De- veloping a National Strategy for Cybersecurity." The paper advises focusing on the basics and building on established best security practices. It ad- vises that any strategy be: • Risk-based • Outcome focused • Prioritized • Practicable • Respectful of privacy and civil liberties • Globally relevant. Although the Government Accountability O ce has rated federal IT security as a high- risk area since 1999, Nicholas, co-author of the Microsoft paper, praised the progress being made in this country to establish a regulatory regime for cybersecurity, including FISMA. "FISMA has really been a journey," and important work is being done under it, he said. "Could it be better? Yes. But it is being fine-tuned to improve risk management." NIST has come through in providing guidance in its 800-series of reports on IT security, Nicholas said. Although FISMA and the NIST guidance are aimed at the U.S. government, their influence extends well beyond. "There is a framework and mentality that did not exist 10 years ago. FISMA better enables the U.S. government to have a risk dia- log with the private sector." This is not to say that FISMA, which is far from perfect, is or should be the model for national strategies. The challenge to come up with some kind of function- ing global system for securing cyberspace involves as much diplomacy as technology. "It s about deciding what needs to be done and how to move forward," Nicholas said. • CYBERSECURITY STRATEGIES NEED TO GO GLOBAL 18 GCN NOVEMBER 2013 • GCN.COM THE SLOW BUT STEADY PROGRESS OF FISMA The Federal Information Security Management Act, the framework for cybersecurity in the federal government, has come in for a lot of criticism since its enactment in 2002. Some say it is hopelessly out of date; others that it never was adequate. But the law has proved remarkably resilient in the face of an IT landscape that has changed almost beyond recognition in the last 11 years. This is due in large part to the continually and rapidly evolving body of cybersecurity guidance being produced by the National Institute of Standards and Technology -- the meat on the bones of FISMA. Assessments of FISMA's success remain cautious, at best. A recent report from the Government Accountability Of ce shows "mixed progress" from scal 2011 to 2012. Some security elements improved while some declined, and "23 of 24 of the major federal agencies had weaknesses in the controls that are intended to limit or detect access to computer resources." Government IT security professionals questioned in a recent survey by MeriTalk gave a positive but cool assessment of the law. So, how to shift opinions of FISMA from cautious to enthusiastic? GAO focuses on metrics, recommending looking at periodic assessments of risk and developing metrics for inspectors general so that they can report programs' effectiveness. NIST will need to continue updating its guidance to re ect new capabilities. And everyone will have to accept that cybersecurity is a moving target and that even the best-protected systems will quickly become vulnerable if ignored for a short time. -- William Jackson