Interesting article in Security Focus on President Obama and cybersecurity. Yes, I complained on twitter because the “document on homeland security” is not really any kind of a solution, more like a bullet list of goals that sound suspiciously like a warmed-over campaign platform.
Guess what? Every President does this, they put out their agenda for everyone to see. With the last administration, it was the 5-point President’s Management Agenda.
Let’s be honest here, as Bubba the Infantryman would say, “There are only a couple of ways to suck an egg, and this egg has been around for a long time.” Any cybersecurity strategy will harken back to the National Strategy to Secure Cyberspace because the problems are the same. If you remember back to when the NStSC was first released, a horde of critics appeared out of the woodwork to say that there wasn’t enough implementation details and that the strategy wouldn’t be implemented because of that. Well, they were partly right.
And now there’s the President stating his agenda with the same ideas that people have been saying for 6 years in more detail than what and suddenly it’s new and innovative. That’s politics for you, folks. =) Bubba, in a rare fit of wisdom would say “The way you can tell the true pioneers is that they have arrows sticking out of their backs” and it might seem apropos here, if maybe a little bit cynical.
Hidden Agenda Eats Agenda photo by emme-dk.
Let’s go through each of the points with a little bit of analysis from myself:
Strengthen Federal Leadership on Cyber Security:Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
Great idea. Between OMB, NIST, DHS, DoD, DOJ, and a cast of thousands, there is a huge turf war over who really owns security. Each of these groups do a phenomenal job doing what it is they do, but coordination between them is sometimes more like a semi-anarchist commune than a grand unified effort. I seem to remember saying at one point that this was needed. Granted, I was specifically talking about the internal side of the InfoSec Equitites Issue, so the scope here is a little different.
The Cyber Czar is literally buried deep down inside DHS with no real authority, a presidential advisor like is in the agenda would report directly to the President.
Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure:Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
We have a very good R&D plan in place (.pdf caveat), it just needs to be adopted and better funded. For those of you who need a project, this is like a wishlist on things that some very smart Government guys are willing to fund.
Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
Ouch, I cringe when I read this one. Not that it’s needed because when it really comes down to it, every CISO in the US is dependent on the software and hardware vendors and their service providers.
Something the world outside the Beltway doesn’t understand is that “standards” are roughly equal to “regulation”. It’s much, much better if the Government goes to industry groups and says “hey, we want these things to be part of a standard, can you guys work to put it all together?” There might be some regulation that is needed but it should be kept as small as possible. Where the Government can help is to sponsor some of the standards and work along with industry to help define standards.
Maybe the best model for this is the age-old “lead the horse to water, demonstrate to the horse how to drink, hold the horses mouth in the water, and you still can’t get them to drink.” We’ve tried this model for a couple of years, what is needed now is some kind of incentive for the horse to drink and for vendors to secure their hardware, software, firmware, and service offerings.
Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
Maybe this gets down to political beliefs, but I don’t think this is the Government’s responsibility to prevent corporate cyber-espionage, nor should you as a company allow the Government to dictate how you harden your desktops or where you put your IDS. If you are not smart enough to be in one of these high-tech industries, you should be smart enough to keep your trade secrets from going offshore, or else you’ll die like some weird brand of corporate darwinism.
Government can prosecute evildoers and coordinate with other countries for enforcement efforts, which is exactly what you would expect their level of involvement to be.
Yes, in some cases when it’s cyber-espionage directed at the Government by hacking contractors or suppliers (the military-industrial complex), then Government can do something about it with trickle-down standards in contracts, and they usually do. Think ITAR export controls scoped to a multi-national corporation and you have a pretty good idea of what the future will hold.
Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
This point is interesting to me. We already have rules to flag large transactions or multiple transactions, that’s how Elliot Spitzer got caught. Untraceable Internet payment schemes sounds like pulp-fiction stuff and income tax tracking to me, I would like to know if they really exist.
On the other hand, law enforcement does need training. There really is a shortage of people with the law enforcement and technical security backgrounds who can do investigations.
Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.
National data breach law == good, because it standardizes all of the state laws that are such a hodge-podge you need a full-time staff dedicated to breaking down incidents by jursidiction. We have something like this proposed, it’s S.459 which just needs to be resurrected and supported by the Executive Branch as part of their agenda.
A common standard could be good as long as it’s done right (industry standards v/s Government regulation), see my comments above.
Note some key points I want you to take away:
Nothing is new under the sun. These problems have been around a long time, they won’t go away in the next 4 years. We have to build on the work of people who have come before us because we know they’ve looked at the problem and came to the same conclusions we will eventually come to.
Partnership is emphasized. This is because as much lip-service we give to the Government solving our problems, the American Way (TM) is for the Government not to be your Internet Nanny. Government can set the environment to support private information security efforts but it really is up to the individual companies to protect themselves.
Industry needs to solve its own problems. If you want the Government to solve the nation’s information security problems, it means that we take US-CERT and have them monitor everything whether you want them to or not. Yes, that’s where things are heading, folks, and maybe I just spilled the beans on some uber-secret plan that I don’t know about yet. Trust me, you don’t want the transparency that the Government watching your data would provide.
Be careful what you ask for. You just might get it. When it comes to IT security, be extra careful because you’ll end up with regulation which means more auditors.
Agenda Grafitti photo by anarchosyn.