理解美国联邦政府网络安全

前哨按语

2018年4月， 哈佛大学肯尼迪学院Belfer中心发布《理解美国联邦政府网络安全》的报告，作者是美国卡内基国际和平基金会技术和国际事务部的项目负责人、美国国防部负责网络政策的前任代理副助理国防部长凯瑟琳·查莱特（Kate Charlet）。该报告对于了解美国联邦政府网络安全具有重要意义，以下是前哨翻译的报告摘要。关注前哨回复“美国网络安全”可以获取报告全文。

《理解美国联邦政府网络安全》报告摘要

美国联邦政府网络吸引着国外情报部门和网络空间中其他恶意分子。这些为100多个政府部门和数百万联邦雇员提供服务的网络，促成政府使命和运行，处理内部敏感通信，存储成千上万美国人的个人数据。因此，联邦政府网络所面临的威胁程度是其他机构难以相提并论的。

对于信息安全领域之外甚至是某些业内人士来讲，联邦政府网络安全是一个深奥难懂的话题。相关信息散见于一系列政府文件之中，目前缺乏理解此话题“一站式”的介绍。本报告将填补这个空白：

概述联邦政府网络安全全景，包括介绍各联邦机构的角色和职责，识别系统性挑战。

总结联邦政府近期提升网络安全的动力，诸如信息技术现代化，识别高价值资产，使用共享的服务和商业技术，监测和阻断威胁，识别和修复风险因素以及提升事件响应能力。

回顾联邦政府为夯实网络安全基础所做的努力，包括增强网络人力、研究和开发、采购和领导力。

保护联邦民用网络和系统的前景复杂而艰巨。几个系统性因素造成了如此充满挑战的环境：

1. 在集中管理和分散管理之间难以权衡。联邦政府的总体架构很大程度上是分散的，每个机构管理自身的风险，部署自身的安全方案。完全集中管理同样有自身的挑战，例如限制了各机构为应对网络安全挑战去开发定制、敏捷方案的能力。

2. 机构高层领导对网络风险管理的参与程度不同。成功的机构领导能够清楚认识网络风险并积极进行管理。在机构内部，首席信息官权力有很大的差别。

3. 指导、激励和加强不履职联邦机构行动的杠杆有效性不同。国土安全部（DHS）、公共管理和预算办公室（OMB）有一些能推动部分机构行动的杠杆，国土安全部不断增加的行动授权至关重要。

4. 资源限制和严格的政府预算周期。根据网络安全优先级适当配置资源的成本较高，政府预算过程的架构对机构网络安全工作造成挑战。

5. 分散的国会监督。没有一个国会部门完全了解联邦政府的网络安全措施，立法要求散见于许多法案之中，这使联邦机构面对威胁难以适从。

在制定更好地管理联邦政府系统网络风险的方案时，政策制定者、机构领导、网络安全专业人士和国会工作人员应考虑以下主题：

健全的风险管理体系是联邦政府网络安全所有努力的基础。联邦部门不能也无法阻止网络安全事件或侵入的发生。联邦机构必须识别最重要的使命和资产，然后制定策略以减少、减轻或承受风险。

机构领导人持续、高水平的领导是成功的关键。设有专门部门主管或职责的机构更可能战略性运用资源、促成使命或企业所有者参与网络安全，并授权首席信息官采取必要的措施来保护系统和执行标准。

有效管理需要明确的角色和职责。联邦政府网络安全系统是复杂的。这本身并不是坏事，但为确保一致性需要通过不断努力来完善、澄清和制度化角色和职责。

稳定的、循序渐进的进步很常重要。2016的“网络冲刺”尽管成效一般，但它证明当为细化的里程碑负责时，这些机构就可以取得进步，特别在经常被入侵者利用的基本的网络卫生问题上。

一些领域反而需要不断创新，甚至是根本性的“反思”。最先进的机构可以激励和实施诸如劳动力、采购和行政教育等方面的创新理念。

国会扮演着至关重要的角色。国会授权和赋予机构使命、职权和预算。如果没有立法机关的大力支持和参与，不可能有所作为。

资源配置很重要。在网络现代化或吸引网络安全人才方面克扣资源将降低机构捍卫其核心使命的能力，这会对政府和公民造成真正的影响。

不断发展的技术将改变局面。数字生态系统的创新，如自动化，将带来新的威胁和新的防御应用。政府需要提前筹划5到10年以避免落后。

美国联邦政府的网络安全没有捷径。网络系统将保持固有的复杂性，密切协作和合作伙伴很有必要。联邦政府网络安全将是一个长期的使命，为保持领先于威胁，总是在不断发展和变化。换言之，没有“终点线”——只有不断完善、适应和合作才可以确保联邦政府及其所服务的对象安全。

Executive Summary

Federal networks are attractive targets for foreign intelligence services and other malicious actors in cyberspace. Networks serving over 100 agencies and millions of employees enable government missions and operations, handle sensitive internal communications, and store personal data on millions of Americans. The level of threat faced by federal government networks has few parallels, and agencies have been unable to keep up.

Federal cybersecurity is a dense, inaccessible topic to those outside the information security community and even to some inside it. Information is scattered across a variety of government documents, with no “one stop shop” to understand the topic. This report fills the gap by:

Characterizing the federal cybersecurity landscape, to include describing roles and responsibilities of various federal agencies and identifying systemic challenges.

Summarizing recent federal drives to improve it, such as through information technology modernization, identification of high value assets, using shared services and commercial technologies, detecting and blocking threats, identifying and fixing risk factors, and improving incident response.

Reviewing efforts to improve the foundations of federal cybersecurity by enhancing the cyber workforce, research and development efforts, acquisition, and leadership.

Securing federal civilian networks and systems is a complex and daunting prospect. Several systemic factors contribute to a challenging environment:

Difficult tradeoffs between centralized and decentralized management.The overall federal structure is largely decentralized, with each agency managing its own risk, and implementing its own security solutions. Full centralization would bring its own challenges, such as limiting agencies’ ability to develop tailored, agile solutions to their cybersecurity challenges.

Varying levels of engagement of agency top leadership on cyber risk management.Successful agency heads develop an awareness of cyber risk and actively manage it. Within agencies, the authorities of chief information officers vary widely.

Varying effectiveness of levers to direct, incentivize, and enforce action by nonperforming federal agencies.The Department of Homeland Security and Office of Management and Budget have some levers to drive action by individual agencies, and DHS’ increasing operational authority has been critical.

Resource constraints and a rigid government budgeting cycle.Properly resourcing cybersecurity priorities can be expensive, and the structure of the government budgeting process poses challenges for agency cybersecurity efforts.

Scattered congressional oversight.No single congressional body has the full picture of federal cybersecurity measures, and legislative requirements are spread across many bills, making it complicated for federal agencies to adapt to threats.

In developing approaches to better manage cyber risk to federal government systems, policymakers, agency leaders, cybersecurity professionals, and congressional staff should consider the following themes:

Sound risk management underpins all federal cybersecurity efforts. Federal agencies cannot and will not prevent every incident or intrusion. Agencies must identify the most important missions and assets, then craft strategies to reduce, mitigate, or accept the risks.

Sustained, high-level leadership from agency heads is critical to success. Agencies with engaged department heads or deputies are much more likely to use resources strategically, force mission or business owners to attend to cybersecurity, and empower chief information officers to take steps needed to protect systems and enforce standards.

Effective management demands clarity on roles and responsibilities. The federal cybersecurity system is complex. This is not inherently bad but it does demand constant effort to refine, clarify, and institutionalize roles and responsibilities to ensure coherence.

Steady, incremental progress makes a difference. The Cyber Sprint in 2016, modest as it was, demonstrated that agencies can make progress when held accountable for discrete milestones, especially on issues of basic cyber hygiene often exploited by intruders.

Some areas, however, require constant innovation, or even a fundamental “rethink.” The most advanced agencies have policies that reward and implement innovative ideas on topics like workforce, procurement, and executive education.

Congress plays a critical role. Congress authorizes and appropriates agency missions, authorities, and budgets. Very little can be done without strong support and engagement from the legislative branch.

Resources matter. Skimping on resources for modernizing networks or attracting cybersecurity talent will reduce the ability of agencies to secure their core missions, with real impacts to both government and citizens.

Evolving technology will change the game. Innovation in the digital ecosystem, like automation, will bring both new threats and new defensive applications. The government will need to plan 5- to 10-years ahead to keep from lagging behind.

There are no silver bullets for federal cybersecurity. The system will retain its inherent complexity, necessitating close coordination and partnership. Federal cybersecurity will be an enduring mission, always evolving and changing to stay ahead of the threat. In other words, there is no “finish line”—only continual improvement, adaptation, and cooperation to secure the federal government and those it serves.

网络法前哨∣网络法前沿的侦察兵