April Fools Day pranks aside, I’m wondering what happened to the 60-day Cybersecurity Review. Supposedly, it was turned into the President on the 17th. I guess all I can do is sigh and say “So much for transparency in Government”.
I’m trying hard to be understanding here, I really am. But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, “You can’t handle the truth!”
And this is the problem. Let’s face it, our information sharing from Government to private sector really sucks right now. I understand why this is–when you have threats and intentions that come from classified sources, if you share that information, you risk losing your sources. (ref: Ultra and Coventry, although it’s semi-controversial)
Secret Passage photo by electricinca.
Looking back at one of the weaknesses of our information-sharing strategy so far:
- Most of the critical infrastructure is owned and operated by the private sector. Government (and the nation at-large) depends on these guys and the resilience of the IT that these
- The private sector (or at least critical infrastructure owners and operators) need the information to protect their infrastructure.
- Our process for clearing someone to receive sensitive information is to do a criminal records investigation, credit report, and talk to a handful of their friends to find out who they really are. It takes 6-18 months. This is not quick.
- We have some information-sharing going on. HSIN and Infragard are pretty good so far–we give you a background check and some SBU-type information. Problem is that they don’t have enough uptake out in the security industry. If you make/sell security products and services for Government and critical infrastructure, you owe it to yourself to be part of these.
- I’ve heard people from Silicon Valley talk about how the Government doesn’t listen to them and that they have good ideas. Yes they do have some ideas, but they’re detached from the true needs because they don’t have the information that they need to build the right products and services, so all they can do is align themselves with compliance frameworks and wonder why the Government doesn’t buy their kit. It’s epic fail on a macromarket scale.
In my opinion, Government can’t figure out if they are a partner or a regulator. Choose wisely, it’s hard to be both.
As a regulator, we just establish the standard and, in theory anyway, the private sector folks don’t need to know the reasoning behind the standard. It’s fairly easy to manage but not very flexible–you don’t get much innovation and new technology if people don’t understand the business case. This is also a more traditional role for Government to take.
As a partner, we can share information and consequences with the private sector. It’s more flexible in response but takes much more effort and money to bring them information. It also takes participation from both sides–Government and private sector.
Now to tie it all off by going back to the 60-Day Cybersecurity Review…. The private sector needs information contained in the review. Not all of it, mind you, just the parts that they need to do their job. They need it to help the Government. They need it to build products that fit the Government’s needs. They need it to secure their own infrastructure.