Say goodbye to lengthy annual reports on cybersecurity. The Office of Management and Budget ordered federal civilian agencies to adopt a near-real-time approach to cyber threats in a memo issued last month.

"Agencies have spent too much time, money and energy on generating paperwork that they end up filing away in these secure cabinets and they don't end up protecting systems," Vivek Kundra, the government's chief information officer, said in an interview.

This summer, agencies will begin to send automated data feeds on cyber threats to a system called CyberScope, operated by the Homeland Security Department's National Cyber Security Division. The DHS office then analyzes the data and offers advice to agencies on ways to address vulnerabilities and defend against cyber attacks. The new approach will allow agencies to share information and combat cyber attacks more rapidly, Kundra said.

"It's such a big change because the old way got no risk reduction and the new way gets massive risk reduction," said Alan Paller, director of research at the SANS Institute, a Maryland-based computer security research firm.

The paper reports agencies file annually to comply with the Federal Information Security Management Act (FISMA) have cost the government more than $3 billion and are "completely useless," Paller said.

At the State Department, for instance, spending on those reports came out to $133 million in the past six years, or $1,400 per page, Kundra said. The information in the reports was often obsolete by the time they were prepared and submitted, Paller and other experts say.

Annual reporting will still be required under FISMA, but now CyberScope will generate reports. The government's focus will shift to make reporting a byproduct of cyber defense actions, and not an end in itself, Kundra said.

"What we were doing was confronting a threat that's real time in nature with annual reports," Kundra said. "That's an asymmetrical advantage to those who want to do harm to our systems."

OMB will convene cybersecurity officials from federal agencies May 7 to discuss the plan, Kundra said. Agencies should be feeding data to DHS on their cybersecurity threats by July, he added. Funds for the shift should be available within existing cybersecurity budgets, he said, and eliminating the onerous annual reports will free up resources.

The OMB memo also emphasized the need for agency-specific strategies to combat cyber threats. OMB will hold individual interviews with each agency to assess their plans, Kundra said.

Paller said implementation of the new approach will take time. It likely will take about a year before most agencies are fully operational, he said. Obtaining the necessary technology shouldn't be difficult, Paller said, but it may be hard to integrate some agencies' various component parts into a unified cybersecurity system.

"The only problem they'll have is a bit of a leadership problem," he said.

Kundra and federal cybersecurity coordinator Howard Schmidt formed a task force in September to assess agencies' cybersecurity programs. After meeting with experts from the public and private sectors, the group recommended a governmentwide move toward continuous monitoring of cyber threats. Agencies including the State Department, NASA and the FBI have already switched to this approach, Kundra said.

John Streufert, State's chief information security officer, said security vulnerabilities on the department's personal computers and servers were cut by about 90 percent between July 2008 and July 2009, after new standards were implemented.

State is now able to identify and address especially serious cyber threats that worm their way into the department's computers and servers. For instance, Streufert said, when the "Aurora" cyber attack that successfully stole information from Google last year was discovered, State was able to alert its security employees around the world and significantly improve its defenses against the attack within five days.

"It finds the needles in the haystack and attaches an electronic strobe light to them," Streufert said.

OMB's efforts to eliminate paper-based reporting will free up more resources to fight cyber threats, he said.

"These paperwork reports have the State Department marching double time," Streufert said. "We march once for operational security, and we march once for the paperwork."

More remains to be done

But large gaps remain in federal cybersecurity, Streufert said. Even at State, the progress made in reducing risks has been limited to personal computers and servers that use Microsoft operating systems. This is a significant chunk of the department's information technology infrastructure, but the agency is still trying to extend real-time risk evaluation to all of its infrastructure and applications. State also wants its offices around the world to collect and report data on vulnerabilities in its systems every three days instead of every seven.

"I can't be comfortable with what we've done at the State Department with so much undone," Streufert said.

Overhauling FISMA will be a critical next step, said Paul Wohlleben, a former federal chief information officer who is now a partner at the consulting firm Grant Thornton. Wohlleben oversees an annual survey of federal chief information officers on behalf of the trade association TechAmerica.

OMB's new guidance may save time and money when it comes to FISMA compliance, he said, but won't significantly improve cybersecurity.

"I don't think this memo's going to improve our security posture by any exponential measure," Wohlleben said.

He recommended government agencies consolidate their networks and data centers — possibly using cloud computing — and impose limits on federal employees' ability to access files from outside the office or take them home on devices such as thumb drives.

Cyber attacks continue to escalate

As the government continues to develop its cybersecurity strategy, threats are increasing.

Director of National Intelligence Dennis Blair told a Senate committee in February that "malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication" and the nation's "critical infrastructure is severely threatened."

Streufert said State has seen about twice as many cyber attacks so far in fiscal 2010 as it did in 2009.

"As the adversaries have increased their tempo, the government needs to increase the frequency it's checking for problems," Streufert said.