Obama Should Scrap Cybersecurity Czar, Analyst Says

As President Obama prepares to name a cybersecurity czar, an influential tech analyst said the White House should create a federal chief information security office instead.

The news comes amid InformationWeek's exclusive report Thursday that hackers have infiltrated servers operated by the U.S. Army.

"The bottom line is that increasing the national cybersecurity is an operations issue," John Pescatore, VP and analyst at Gartner, said in a statement. "The problems are well-understood, solutions are known, and gaps have been identified. Organizations with high security in private industry and government almost invariably have a strong security office and a chief information security officer (CISO), and that should be the model that the U.S. government follows."

The federal government should move into a more active role to improve security in cyberspace instead of focusing on strategies that increase spending or visibility for security, according to Pescatore.

"The evolution and technological underpinnings of the Internet are very different from those of telecommunications or any other previous infrastructure," he said. "Different approaches are required to ensure reliable and secure services in cyberspace than on old telecom networks, and the development of public policy has to proceed very differently, as well."

He said that the government will not succeed if it attempts to force top-down solutions on a peer-to-peer problem. National cybersecurity strategy should not be based on government control over the Internet, mandates, or increased reporting of attacks. Instead, it should focus on using policy and buying power to eliminate vulnerabilities, Pescatore said.

He said an effective strategy should look more like a hurricane preparedness plan or a global warming policy than mandates on the telecommunications, banking, and automotive industries.

Federal leaders should harmonize federal security standards with commercials equivalent to eliminate duplication, he said.

"Proactive harmonization of security standards driven by the federal government will be much more effective than leaving states to define their own widely varying levels of approaches for increasing the protection of citizen data and critical infrastructures," Pescatore said.

They should also use spending power to ensure that government software procurements require application vulnerability testing, evaluate existing regulations and step up enforcement, focus on preventing attacks rather than combining efforts to prevent and detect them, and reward best practices, Pescatore said.

"Most of the publicity tends to go toward the government agencies with low Federal Information Security Management Act scores in annual audits, and currently there seems to be little or no effort to spread best practices across agencies," he explained in a report on national cybersecurity strategy (purchase required).

InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).