The Foreign Service Journal, January 2012

J A N U A R Y 2 0 1 2 / F O R E I G N S E R V I C E J O U R N A L 11 curity challenge that in many ways mir- rors those multinational companies confront. But in a blow to the rhetoric of those who reflexively laud the private sector and disparage government bu- reaucracies, State’s approach to net- work security is so innovative and effective that many large companies are clamoring to copy it. As Siobhan Gorman reports in the Sept. 26 issue of the Wall Street Jour- nal , State’s program scans computers throughout the department every three to four days to detect security vulnera- bilities, compiles the data in one place and provides grades to each office. “We know anywhere in the world what our risk is,” says John Streufert, State’s deputy chief information officer for in- formation assurance and one of the program’s four creators. For example, after the high-profile 2009 cyberattacks on Google, State as- signed a high priority to the software fix that would prevent that mode of attack. Within six days, 85 percent of its com- puters had the fix. “Almost no private-sector organiza- tion can do this,”Streufert points out. “The bulk of American corporations and government [offices] are treating all weaknesses as if they are the same.” State’s approach differs from com- mercially available network-monitoring programs in that it uses a market-based approach to create incentives to fix se- curity gaps. Specifically, it quantifies a range of security risks and “monetizes” them into a “common currency” that assigns the most points to the highest- priority security gaps, Streufert says. Those points are factored into a site’s grade each day, so that security officials can always identify the biggest gaps and, thus, attend to priority problems first. Since launching the system three years ago, State has received a growing number of inquiries from an array of companies, ranging from Microsoft, General Electric and J.P. Morgan Chase to the computer security firm RSA and Heartland Payment Systems, a credit-card payment processor that fell victim to a major cyberattack a few years ago. At least 40 organizations have requested the software code for State’s program, which Streufert gives away for free. Prioritizing security gaps is one of C Y B E R N O T E S 50 Years Ago... The first year of a new administration is a time of testing of many new ideas and people. 1961 was no exception to this pat- tern. Three new agencies have come into being. New forms and methods of foreign assistance will, with congressional blessing, be vigor- ously pursued by AID. The Peace Corps has been born. The Arms Control and Disarmament Agency has begun its important work. To ensure the coordination of the activities of these agencies both at home and abroad, the authority of the Secretary of State over them has been made clear. The Foreign Service, on its part, must do all within its power to support their activities. This will require, in particular, a much closer integration of ef- fort, especially in Washington and in the substantive areas of our embassies, than has existed heretofore. — From “Balance Sheet for 1961” (Editorial), FSJ , January 1962.