Earlier this summer, FCW reported how Sen. Sheldon Whitehouse (D-R.I.) was proposing a major shift from the current practice of having each federal agency’s inspector general (IG) handle security inquiries. Whitehouse recommended that there be a single inspector general in charge of auditing cybersecurity practices across federal civilian networks.
“A single, specialized office dedicated to federal cybersecurity, with authority to do white-hat tests of agency security, could attract world-class talent and would spur federal agencies to keep pace in the cyber arms race against hackers,” Whitehouse said in a June 6 speech in Washington, D.C.
While opponents claim that such a move might limit the agency-specific knowledge of networks and IT spending required to be effective, the recommendation supports a shift as civilian agencies are being encouraged to view security from an enterprise perspective leveraging information sharing and the ability to look across agency boundaries for outside vulnerabilities that may impact them.
Whitehouse also advocated broader Active Defense of networks including the ability to “hack back” adversaries under certain circumstances, as well as a new bill he introduced that would increase penalties for anyone selling or providing access to botnets.
It is very encouraging to see Government starting to think about cybersecurity from enterprise perspective and this would include the appointment of an overarching IG. But only if the IG focuses less on things like white hat testing and more on mandating that agencies understand their risk profile and reduce their risk exposure to better protect their most critical assets and infrastructure.
Exploring the parameters of Active Defense and reducing botnet attacks is important, but again, the focus and priority must turn to understanding and protecting an agency’s most critical assets.
And like the Cloud Security Alliance is doing for its membership, a new IG should be recommending game changing security architectures, such as the reference implementation of software defined perimeters, as a proven solution.
Watch this blog for more info and check out this white paper on Software Defined Perimeters.