On Friday last, President Obama and Melissa Hathaway released their 60 day review of the state of cyberspace security in the U.S. Well, that is to say what our posture is as a country and a government really. After having read the report over the weekend, I have come to the conclusion that even after a 60 day review, the president and staff (including perhaps Hathaway) have not one clue as to how they really can make a difference in the countries cyber security levels.
There are platitudes and half thought out postulates on having more “investigation” into how to handle many of the issues at hand where the security of the country via the internet and computing are concerned. But, the big answers are just not there folks. Just how much more investigation are we going to need before the government actually makes a decision on how to mandate secure practices, enforce them, and secure the nations infrastructure properly.
Of course I understand that this is a complex issue and surely it just cannot be fixed right away with a clap of the hands. However, I do expect there to be more substance and direction here in this document. All in all, I was unimpressed really and hope that perhaps this was just a slow start for the administration. It remains to be seen I guess.
What would I recommend?
1) The carrot and stick program for contractors and private sector should have more stick and less carrot. I firmly believe that if the private sector is not forced to change their lax security ways with mandates from the government, then they will not change at all.
2) The position of presidential liaison for cyber security initiatives needs to be more than just an assistant position. Which basically is what it is now per the speech and release of the report. This position needs to be cabinet level, have more solid mandates and certainly have essential empowerment to help shape the security of the countries infrastructure. As it stands now, this position will just be the middleman between government bodies that likely will feel more like a yo yo than a position that can effect real change.
3) A separate agency should be created that is autonomous to DHS, CIA, NSA, etc and it should have a primary goal of enforcement of secure processes, implementations, and oversight within the arena of cyber security. The infighting between agencies now would only be a detriment and we have all seen just how well DHS has been handling our data, nevermind keeping us “secure” Giving DHS anything to do with cyber security would only serve to hasten the utter defeat that the likes of the Chinese would love to inflict upon us.
4) Said agency will have to have a direct and solid mandate with backing from the highest authorities to not only educate the nation on security, but also to enforce any laws and or policies that the government creates covering infosec and cybersec. Red teaming and audits that occur on a regular but “unplanned” (spot checks) basis should be the norm. These types of audits will keep the private sector on their toes and allow for less cheating the system.
As it stands now, this document only vaguely points toward an idea of what the government “wants to maybe” do concerning the security of our infrastructure. This is a step in the right direction admittedly, but it is just not enough.
Cyberspace Policy Review 2009