At the beginning of the year, I was absolutely tickled pink: I almost had a copycat.

The NinjaCISO blog was started shortly after the new year and seemed interesting in what they had to say over the next couple of months.  I eagerly waited for their every post, wondering what kind of insight the Ninja would come up with next.  Since for the most part we operate in unchartered waters here at the Guerilla-CISO, it sometimes is nice to get different points of view so we don’t feel like we’re some kind of bizarre Government information security self-licking ice cream cone.

Then in mid-February, the whole blog was replaced with a cartoon saying that “On the Internet, nobody knows that you’re a dog”.  This can mean only one thing:  the Ninja was given a cease-and-desist by their chain of command and was forced to commit blog seppuku.  And the blogging world experienced a small void.

Nobody Knows You’re a Dog lifted from NinjaCISO.com.

See, dear readers, this is a problem for Government employees who blog.  Let’s look at a little bit more extreme example: military bloggers (milblogs).

You see, the military has gone back and forth on this a couple of times.  In April 2007, the Army decided that soldiers shouldn’t blog without notifying their commander, (clarified here) and the Global War Against Blogs was started, much to the dismay of a lot of clueful people who understand the value that blogs bring to the DoD.

Yes, Joe is dumb.  Joe talks about stuff that he shouldn’t really talk about.  But Joe can also talk about the village in Afghanistan where he’s a local hero because he rescued a policeman while he was being held hostage.  Joe can also talk about the school that the Taliban burned and how US money and some “local matching funds” from the Provincial Governor brought carpets, pens, and pads of paper so that the kids could continue to learn how to read and write.

And this is the conundrum: in a war where the “bad guys” are winning the media war, how do you give a voice to the guys doing good things but just enough so that they don’t talk about anything that you don’t want them to–troop movements, physical security problems, and how they really feel about the administration’s policies?

And so back to my real message here:  we as an industry need to hear from the invisible people who make information security in the Government work.  Otherwise, you would think that FISMA is failing, Government CISOs are a bunch of buffoons who don’t know how to get a good report card, DHS is monitoring the Interwebs looking for the next Nick Haflinger, and the only people getting any benefit out of the way we do information security is a bunch of fat-cat contractors and their shareholders. (Side note, how do I sign on for this contractor wealth thing?  I must be doing it all wrong.)

We now have an administration that talks about openness, transparent democracy, and all this Government 2.0 stuff.  Truth be told, I don’t think anybody has thought about extending that transparency to trickle down to the “worker-bees”.  These are really 2 different issues: official blogs v/s personal blogs that might be career-related.  I think we have a pretty good handle on the official blogs, but there is a huge void of policy in the realm of personal blogs.

Message to the administration: what we want and need is a blog policy for Government employees that works like this:

• Don’t use your title or agency in anything you write
• Don’t use Government IT resources (desktops, servers, or network) to blog
• Don’t blog at work on the clock as a Government employee
• Do use a pseudonym if at all possible
• Do not violate the Hatch Act with your blog
• Do try to blog objectively about policy issues
• Do talk about your successes
• Do encourage others to make the Government the best that it can be
• Do offer suggestions to problems

As for the NinjaCISO’s content, you can catch bits and pieces of it here on Technorati.

Orwell’s Reporter Lady Goldstein photo by Boris from Vienna.  For clarification, we’re not talking 1984-type things here folks, this is just the blagosphere.  However, it is a funny picture.

• What’s Missing in the way the Government does Security?
• Needed: Agency CSOs
• An Open Letter to NIST About SP 800-30
• On Why I Blog… FUD is the Reason for the Writin’
• The World Asks: is S.773 Censorship?