Today on the Microsoft on the Issues Blog:
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing
As I blogged last month, the increasing quantity and sophistication of cyber attacks requires a comprehensive and coordinated strategy to secure the nation’s critical infrastructure and sensitive data.
Today I had an opportunity to continue the discussion while testifying before a congressional hearing on “Assessing Cybersecurity Activities at the National Institute of Standards and Technology and the Department of Homeland Security,” convened by the House Subcommittee on Technology and Innovation.
As I explained to the committee, the complexity and breadth of national governments, and the wide array of constituents they serve, require a careful and thoughtful approach to managing government-wide cybersecurity.
Most governments function like a conglomeration of businesses, each with different missions, partners, customers, data, assets and risks. The number and diversity of component organizations and systems make centralized management impractical—if not impossible. Each agency or ministry has a unique security paradigm with its own threats, so each must manage its own risk.
I believe a hybrid model to government cybersecurity can create both a “horizontal,” centrally managed security framework and customized, “vertical” solutions that meet the specialized security needs of individual agencies.
Such a combination of horizontal and vertical functions would help ensure that minimum security goals and standards are set, while enabling agencies to manage risks appropriately for their unique operating environments.
To maximize the value of a horizontal cybersecurity function, governments must collect the right data; analyze that data; and use the data to drive action.
To achieve these core objectives, I highlighted several tools I believe are essential:
These capabilities are necessary to build an effective government cybersecurity function, but we must also recognize that cyberspace threats are not going to disappear. Technology alone will not create the trust necessary to secure cyberspace and realize the full potential of the Internet. Technological innovation must be aligned with social, political, economic and IT forces to enable change. Microsoft works with partners in the ecosystem to help drive and shape these forces to create a safer, more trusted Internet through our End-to-End Trust vision. Governments must similarly drive forward with clear vision and holistic Information Age strategies to combat these threats to national and economic security, and public safety. As long as threats evolve, so must our efforts to protect against them.