Where For Art Thou, 60-Day Review

Posted May 7th, 2009 by

April Fools Day pranks aside, I’m wondering what happened to the 60-day Cybersecurity Review.  Supposedly, it was turned into the President on the 17th.  I guess all I can do is sigh and say “So much for transparency in Government”.

I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, “You can’t handle the truth!”

And this is the problem.  Let’s face it, our information sharing from Government to private sector really sucks right now.  I understand why this is–when you have threats and intentions that come from classified sources, if you share that information, you risk losing your sources.  (ref: Ultra and  Coventry, although it’s semi-controversial)

Secret Passage photo by electricinca.

Looking back at one of the weaknesses of our information-sharing strategy so far:

  • Most of the critical infrastructure is owned and operated by the private sector.  Government (and the nation at-large) depends on these guys and the resilience of the IT that these
  • The private sector (or at least critical infrastructure owners and operators) need the information to protect their infrastructure.
  • Our process for clearing someone to receive sensitive information is to do a criminal records investigation, credit report, and talk to a handful of their friends to find out who they really are.  It takes 6-18 months.  This is not quick.
  • We have some information-sharing going on.  HSIN and Infragard are pretty good so far–we give you a background check and some SBU-type information.  Problem is that they don’t have enough uptake out in the security industry.  If you make/sell security products and services for Government and critical infrastructure, you owe it to yourself to be part of these.
  • I’ve heard people from Silicon Valley talk about how the Government doesn’t listen to them and that they have good ideas.  Yes they do have some ideas, but they’re detached from the true needs because they don’t have the information that they need to build the right products and services, so all they can do is align themselves with compliance frameworks and wonder why the Government doesn’t buy their kit.  It’s epic fail on a macromarket scale.

In my opinion, Government can’t figure out if they are a partner or a regulator.  Choose wisely, it’s hard to be both.

As a regulator, we just establish the standard and, in theory anyway, the private sector folks don’t need to know the reasoning behind the standard.   It’s fairly easy to manage but not very flexible–you don’t get much innovation and new technology if people don’t understand the business case.  This is also a more traditional role for Government to take.

As a partner, we can share information and consequences with the private sector.  It’s more flexible in response but takes much more effort and money to bring them information.  It also takes participation from both sides–Government and private sector.

Now to tie it all off by going back to the 60-Day Cybersecurity Review….  The private sector needs information contained in the review.  Not all of it, mind you, just the parts that they need to do their job.  They need it to help the Government.  They need it to build products that fit the Government’s needs.  They need it to secure their own infrastructure.



Similar Posts:

Posted in Public Policy, Risk Management | 3 Comments »
Tags:

3 Responses

  1.  Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com Says:

    […] #2 – 60 Days And Counting: With the 60-day security review nowhere in sight, @rybolov sums up our feelings perfectly when he says “I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, ‘You can’t handle the truth!’” With the review supposedly turned into President Obama on the 17th, @rybolov makes the astute observation that “our information sharing from Government to private sector really sucks right now.” @rybolov then goes on to talk about how the government can’t seem to decide whether they’re a partner or a regulator, and why they need to choose one or the other instead of trying to (rather unsuccessfully) be both.  Because as @rybolov points out, the ‘are we a regulator or a partner’ conundrum is making it hard for the private sector to do their job. You can read the full post here. […]

  2.  PorterD4 Says:

    Yes, I too find myself working Google to find any tidbit on the revelation of the 60 day review. Transperancy aside, the sheer scope of what had to be reviewed, the sensitive nature of the data and trying to make it palatable for regular folk has to be a daunting task. President Obama and friends, please take your time. There is too much at stake for some hare-brained, Wile E. Coyote plan that every security expert will read and snicker. Security folk already know what should be done, security R&D, better awareness and trainig at the end-user level, out-of-the-box secured systems. I don’t expect anything new from this review, but I think there is a chance something smart and useful will come out of it. I’ll keep scouring the ‘net for signs of the review, but until it drops, I will wait patiently and be ready to do my part when it does.

  3.  Jack Bauer Says:

    Here’s an interesting article – http://online.wsj.com/article/SB124113159891774733.html

    Says “Mr. Summers’s staff is also seeking to edit the report’s language about vulnerabilities of financial institutions to play down the threat to banks, arguing that the Treasury department has the problem under control, said one person close to the drafting.” Hmmm…maybe thats the reason for the delay…political games afoot? Couldn’t be.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: