Dear <enter candidate’s name>,

Congratulations on your inauguration as the President of the United States. This is a huge accomplishment in your career.

I am writing this letter to tell you that you are inheriting a phenomenal opportunity to succeed where it comes to IT security in the Government. Your predecessors have buit a very viable framework for IT security in the US Federal Government. Arrayed around you are some of the brightest and the best people who have done extraordinary work in increasing the cyber security of the United States Government. The following people are included in their ranks:

• Ron Ross and Marianne Swanson and the rest of the staff in the NIST FISMA project who have labored long and hard to provide research, standards, and guidance not just to the Federal Government but to the nation and the rest of the world.
• Karen Evans and the rest of the staff at OMB who have set the policy that the executive branch has followed. They are not afraid to make decisions in the face of adversity.
• US-CERT and the Department of Homeland Security have made huge strides towards building a Government-wide monitoring system. Considering that they started “from scratch” 5 years ago, this is a non-trivial accomplishment.
• The people at DISA and NSA who have developed technical guidance before it was popular to do so–before FISMA, before PPD-63.

These and countless other people have “fought the good fight” in bringing IT security to the masses in such a scale that is unprecedented before in history.

But from where I, a humble servant of the public, stand, there are 2 things that you and your administration can do as a whole to increase our Government’s IT security.

#1 Please appoint an executive-branch Chief Information Officer (CIO) and a Chief Information Security Officer (CISO) with both the responsibility and the authority to secure the executive branch’s IT systems. The reason I ask for this is that the Federal Government’s IT infrastructure is a federation of individual business units that are managed separately for risk. At each level of Government, there is an IT manager and a security person to support them–all the way up the chain of command–except for at the top where there is a void wanting to be filled.

As has often been said, the answer to bureaucracy is not to throw more bureaucracy at it, and so creating new positions is not something to do lightly. What our nation needs is a pair of true technology managers at the executive branch level who can adequately manage risk instead of compliance.  This is a tremendous need for the executive branch: OMB is focused on compliance and fiscal responsibility and compliance, NIST is focused on research and developer outreach, US-CERT is focused on highly tactical IT security operations, and no one entity controls the strategic security direction of the nation.

#2 Please learn how to use the economic might of the Federal Government to allow the market to determine winners in the security space. What I mean by this is that the Government has for too long put up with inferior IT products and services because we do not present a unified front to the vendors.

Our Federal IT budget for this year is ~$75B and this is a huge force to bear on the market. This means that the Government is in a prime position to get whatever they ask for from the technology industry, all you have to do is use your fiscal power in a coordinated manner.

Once again, congratulations on the new job.

Cheers

–Rybolov

White House with a Tilt Shift by Michael Baird

• It’s a Problem of Scale!
• No, FISMA Doesn’t Require That, Silly Product Pushers
• William Jackson on FISMA: It Works, Maybe
• GAO’s 5 Steps to “Fix” FISMA
• Some Comments on SP 800-39

OK, I saw this really cool widget on a blog somewhere.  It tests the literacy level of your blog and tells you at what level you write.  Sure, OK, I’ll bite.  Bloggers love bling, dontcha know?

Fortunately for anybody who has eyes, the code that the site gives you to put the widget on your blog contains a SEO-spamming link.  Oh joy, it’s easily removable if you’re halfway knowledgeable.  But you still can use the textbox to feed urls to the machine.

Anyway, in the interest of science and all things egotastical, I submitted some sample security blogs and was highly surprised at some of the results.  My rundown on how particular sites rate:

• Emergent Chaos, Adam et al http://www.emergentchaos.com/ Junior High School
• Shrdlu http://layer8.itsecuritygeek.com/ Junior High School
• Anton Chuvakin http://chuvakin.wordpress.com/ Junior High School
• Me http://www.guerilla-ciso.com/ High School
• Rich Mogull http://www.securosis.com/ High School
• Gunnar Peterson http://1raindrop.typepad.com/1_raindrop/ High School
• Alex Hutton http://www.riskanalys.is/ High School
• Mark Curphey http://www.securitybuddha.com/ College (undergrad)
• Chris Hoff http://rationalsecurity.typepad.com/ College (postgrad)
• Martin McKeay http://www.mckeay.net/ College (postgrad)
• Amrit Williams http://techbuddha.wordpress.com/ Genius!!

Now if I check out Amrit’s blog tomorrow and he’s got a genius sticker displayed prominently on his site, I’ll take the blame and rage from the blogosphere.  It’s only fitting.

To be honest, I’m surprised I didn’t come in at the preschool level, what with my lowbrow sense of humor and all.  =)

• It’s a Blogiversary
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• A Step Inside the Guerilla CISO’s Mind
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Federal SSN Purge

After a couple of years, we’re getting acquainted again.  Let’s say that ever since I got back from the “Giant Kitty-Litter Box”, I’ve been killed on traveling.  That is changing now.

Last week, it was advanced hire orientation in Atlanta, next week is Guardium training in Massachusetts.  (Yay DAM, I wonder how many “DAM” jokes I can throw in one day)
Fun, fun, fun.

• Where Have I Been?
• Got Training?
• Business Leadership Training
• Life Behind “The Great Big NAT in the Sky”
• The Wee Bonny Has a Blog

OK, I’ve been a fan of LOLFED for a week now.  I have to admit, I’m probably missing some things because I’m not a CPA.  =)

• Cult Crossovers Into Information Security
• Moving
• Me and Mr Suitcase
• Learning GovieSpeak: The Plum Book
• The “C-Word”

Ah, the infamous Nina Hagen, singing about God, aliens, sex, Germany, vivisection, and numbers.  She’s half opera diva, half devil, and all things in-between. =)

• Introducing the NoVa InfoSec Portal
• Backhanded Compliments
• Metrics, Irrationality, Sports, and Malcolm Gladwell
• Jeff Jones and Flameproof Underwear
• Learning GovieSpeak: The Plum Book

It’s been a little while since I did anything offbeat (OK, some of you could claim “absolutely bat-sh*t crazy”), so here goes.  Riding the success of my earlier Meerkats and Risk Management post, we’re now following our young, dashing meerkat protagonist off to his new tribe in the Big 4.  Let’s have a look at his diary, shall we?

17 March 2008: Dear diary, life has been different since I left my clan of the widget-makers-and-maintainers.  Here in my new clan, we have a different subset of meerkats:  the bugcounters.  They’re the strangest sort of meerkats you could imagine.  Instead of eating the bugs that we find out while foraging, they insist that we bring them all back so that they can count them.  They put them into a pile, count the bugs, and then, check this out, they ask a rival clan to come count them again just in case they didn’t count them correctly the first time.

18 March 2008: Dear diary, I read in the Kalahari Times that one clan of bugcounters actually ate another.  I think this is completely misunderstood, but when my clan traveled to the second clan’s foraging territory, all that we could hear was the sound of “Om Nom Nom” and couldn’t bear to see the outcome.  I think it had something to do with this website and risk management.

19 March 2008: Dear diary, how we ended up with so many young, happy meerkats in my clan is beyond me, but I suspect the alpha male and female taking a cruise to the bahamas three months ago had something to do with it.  At any rate, we’re inundated with young meerkats.  In some ways, our burrow is like the meerkat nursery, and every senior meerkat is a babysitter at one point or another, in addition to a sentry, forager, and burrow-digger.

20 March 2008: Dear diary, my burrow has a new type of automatic bug-preparation machine.  You need no less than a doctorate in meerkat physics to make the thing turn the bug extract powder into edible bug substitute.  the first time I used it, I spilled bug extract all over the floor, my paws, and one of my clan members.  I miss my old bug-boiling pot.

21 March 2008: Dear diary, in my clan, we have a new way of measuring the success of meerkat foraging.  Instead of the total number of bugs we collect, now in our annual meerkat assessment report we talk about the total number of hours spent foraging versus the total number of hours doing meerkat development courses and filling out our bug reimbursement forms.

• Resume Gaps
• Got Training?
• Backhanded Compliments
• My 2 Obsessions this Week
• Meerkats and Risk Management