Computer Security · Cyber Crime · cyber security · Cyber warfare · Cybercrime · Cybersecurity · Hackers · Information Assurance

Our Massively Dysfunctional Cyber ‘System’


Hardcover Edition
(Photo credit: Wikipedia)

Today I met with two seniors in the cyber community, both have access to the very top of their respective food chains.  We talked for about 90 minutes, as a group.  Altogether I spent 2 1/2 hours with the one gentleman.

What I discovered during our talk sent chills throughout my body.  Not only is there no coherent strategy for cyber defense at the national level, the old DC two-step shuffle is making entire Cabinet Departments…  useless.

One of the seniors in the cyber community with whom I correspond with occasionally told me that ‘everybody is doing just fine.  We coordinate with all the other Departments and with the White House NSC Staff’.

I’m here to tell you that is a lie.

Many seniors don’t know and they don’t seem to care.

One Secretary publicly announced she does not use email.  She was promptly labeled a Luddite by many.

At least one Department is now seen to be entire ineffectual in the cyber world. They have abrogated their responsibilities and are no longer seen by the other Departments as being decisively engaged in this critical field.

At least one Department has been gutted, many of the most talented leaders decided to pursue outside interests, are on loan, have become reacquainted with their families or generally retire while possible.   Entire offices have been disbanded and only junior staff officers coordinate.

At least one place is practically rudderless when it comes to actually doing the coordination, staffing and leading cyber efforts.

What we should do and what we are doing is at opposite ends of the spectrum.

Our political system has rendered the United States effectively to be cyber eunuchs.  Yep, that’s the first time I’ve seen that phrase used, too.

The legislative efforts of 2012 to create a decent cybersecurity bill within both houses were corrupted by partisan politics.  One house worked, one house sucked, horribly.

What should be done to stop theft of intellectual property by state actors (China) would require a Presidential Finding but our leadership structure is devoid of real leaders.  That is not a political statement, that is a statement about our country.

The cybersecurity EO or NSPD or whatever is being worked on is only a band-aid cure, it will not be enforceable within the civilian sector.  It will lack legislative authority and will, de facto, only make people examine processes, not DO anything.

We lack the leadership needed to pull us out of this abyss.

Advertisements

3 thoughts on “Our Massively Dysfunctional Cyber ‘System’

  1. Joel – I’m not defending any particular entity here but realistically is the government ever going to have the responsibility to defend banks and other private enterprises given that those same enterprises will have to give over some control to the government of their systems? Seems unlikely. We’ve set the bar too high. Right now, DoD has only the writ to defend .mil and to expand that would be a massive expansion of government power. Who’s up for that?

    1. Right now the onus falls to DHS but this mission FAR exceeds their capacity for the foreseeable future. Altruistically they deserve the mission and, despite everybody’s (well almost everybody) misgivings about their lack of capabilities, if they had the appropriate resources they could do the job.

      Depending on how they decide to execute the mission, I foresee different levels of effectiveness. They already have an outreach program which, quite frankly, is grossly underfunded. If the US government wants to protect businesses of all sizes and private citizens, DHS needs to be properly funded.

      I see a three step process.

      Hold software manufacturers responsible for security vulnerabilities. I do not want to wait for version 6.3 before most of the vulnerabilities are fixed. Like a car, do it right the first time. Period.

      Let me turn the normal model on its head. DHS will never have the capability to protect every citizen from malicious actors. Never. But, if Joe and Jane Citizen take responsibility for their own defense, the government should provide the tools, education and assistance necessary for their own defense. Built into these tools are information sharing devices. People, suck it up, if you don’t want to share what is attacking your system, don’t use our tools. We can’t see a massive attack on you and all your fellow citizens if we can’t see the big picture.

      Businesses will have a choice. Most small businesses can’t afford a really good cybersecurity program, so the government can provide the tools, education and assistance necessary for their own defense. The cost is sharing information on how you are being attacked. Large corporations will have the same services offered (but not necessarily mandatory), but it should be mandatory to provide the information to the ‘government’. None of this is mandatory but business would be foolish not to participate.

      Join or Die seems a bit harsh, but if a business does not participate, they are, de facto, hanging themselves out to dry.

      http://killerapps.foreignpolicy.com/posts/2012/10/09/dod_dhs_cyber_threat_info_sharing_program_isnt_shrinking

Comments are closed.