Federal government CISOs are apparently hesitating to move applications to the cloud because of what they see as concerns over security and policy enforcement. This is according to newly released findings from a 2010 State of Cybersecurity report – published by the non-profit security certification body (ISC)² – which surveyed federal CISO opinions on a range of cybersecurity topics.
The survey shows that 72% of federal CISOs polled are not yet using cloud computing applications because 1) they remain uncertain about their ability to replicate security policy in the cloud (45%) and 2) concerns about data loss prevention (21%). This reinforces another concern these federal officers expressed over application security and associated exploitable vulnerabilities, which 27% of them ranked as the primary cybersecurity threat their organizations face.
Lynn McNulty, CISSP, (ISC)² consultant and member of the organization’s U.S. Government Advisory Board for Cyber Security, told Infosecurity that federal officers face many of the same concerns that private-sector decision makers must confront when contemplating a shift toward cloud-based applications.
“Based upon my conversations with CISOs and briefings that I have received, agency CISOs, and CIOs for that matter, are reluctant to use cloud computing for applications that involve highly sensitive information, such as medical records or other personally identifiable data, financial applications, and other high-risk applications”, he said via email, adding that “classified national security information is also an area where public cloud technology will not be used”.
The (ISC)² survey also asked respondents what they would recommend as the highest-priority cybersecurity issues if they where the White House Cybersecurity Coordinator for a day. It came as no surprise that the most popular response (21%) was to improve agency funding to help assist in the enforcement of security mandates. Tied for first was the Department of Homeland Security’s Einstein and TIC program designed to monitor incoming and outgoing .gov domain traffic.
Coming in a close third was CISOs desire to expand cybersecurity coordination to the states and private sector, an indicator that respondents feel that local governments and the private sector should have a more vested role in a cybersecurity partnership. With this in mind, Infosecurity asked McNulty if the interconnectedness of our digital world made it necessary for the federal government to take the lead in not only protecting and monitoring its own networks, but also for developing a comprehensive cybersecurity policy to protect private sector networks as well.
“My personal feeling is that the government should not seek to take the lead to protect private sector networks”, he responded. “The model we have been following over the past decade in the cyber security/critical infrastructure area is that of a public/private sector partnership. I believe that the issues of personal privacy, limited government, and the proper role of foreign intelligence agencies in domestic issues make government leadership in this field an undesirable alternative.”