Page 13 - proof

This is a SEO version of proof. Click here to view full version

« Previous Page Table of Contents Next Page »
J A N U A R Y 2 0 1 2 / F O R E I G N S E R V I C E J O U R N A L
11
curity challenge that in many ways mir-
rors those multinational companies
confront. But in a blow to the rhetoric
of those who reflexively laud the private
sector and disparage government bu-
reaucracies, State’s approach to net-
work security is so innovative and
effective that many large companies are
clamoring to copy it.
As
Siobhan Gorman reports
in the
Sept. 26 issue of the
Wall Street Jour-
nal
, State’s program scans computers
throughout the department every three
to four days to detect security vulnera-
bilities, compiles the data in one place
and provides grades to each office.
“We know anywhere in the world what
our risk is,” says John Streufert, State’s
deputy chief information officer for in-
formation assurance and one of the
program’s four creators.
For example, after the high-profile
2009 cyberattacks on Google, State as-
signed a high priority to the software fix
that would prevent that mode of attack.
Within six days, 85 percent of its com-
puters had the fix.
“Almost no private-sector organiza-
tion can do this,”Streufert points out.
“The bulk of American corporations
and government [offices] are treating
all weaknesses as if they are the same.”
State’s approach differs from com-
mercially available network-monitoring
programs in that it uses a market-based
approach to create incentives to fix se-
curity gaps. Specifically, it quantifies a
range of security risks and “monetizes”
them into a “common currency” that
assigns the most points to the highest-
priority security gaps, Streufert says.
Those points are factored into a site’s
grade each day, so that security officials
can always identify the biggest gaps
and, thus, attend to priority problems
first.
Since launching the system three
years ago, State has received a growing
number of inquiries from an array of
companies, ranging from Microsoft,
General Electric and J.P. Morgan
Chase to the computer security firm
RSA and Heartland Payment Systems,
a credit-card payment processor that
fell victim to a major cyberattack a few
years ago. At least 40 organizations
have requested the software code for
State’s program, which Streufert gives
away for free.
Prioritizing security gaps is one of
C
Y B E R N O T E S
50 Years Ago...
The first year of a new administration is a time of testing of
many new ideas and people. 1961 was no exception to this pat-
tern. Three new agencies have come into being. New forms
and methods of foreign assistance will, with congressional blessing, be vigor-
ously pursued by AID. The Peace Corps has been born. The Arms Control and
Disarmament Agency has begun its important work.
To ensure the coordination of the activities of these agencies both at home
and abroad, the authority of the Secretary of State over them has been made
clear. The Foreign Service, on its part, must do all within its power to support
their activities. This will require, in particular, a much closer integration of ef-
fort, especially in Washington and in the substantive areas of our embassies,
than has existed heretofore.
— From “Balance Sheet for 1961” (Editorial), FSJ, January 1962.