US Gov’t Not Leading By Example
The calls from reporters continue to come in related to Aurora and Congressional Hearings on grid cyber security. There is a lot of talk and temptation for the government to bash the power industry. After all you don’t want to look soft on this issue.
After seeing a story on TSA still failing to stop bomb making components from getting through airport security, I remembered that USG agencies are graded every year on cyber security. Take a look again at the 2006 grades and past years.
DHS: D (F in 2005)
Dept of Energy: C- (F in 2005)
Nuclear Regulatory Commission: F (D- in 2005)
A few organizations such as GAO, OMB, NSF and EPA received A’s so it must be possible to meet the FISMA criteria.
I don’t know if Congressional offices get grades, but my bet is you would see more of the same if not worse with 535 fiefdoms. This does not negate the need for better cyber security on the grid, but how can the members be so incredulous that there are cyber security problems when they have been at it a lot longer and still are getting failing grades.
Security is hard. What we should be looking for is improvement of the security posture and risk reduction. The trend line may be more important than any data point in time. For example if DHS and DoE move up to a C+ next year that would be another positive development rather than a problem because it is not an A.
Author: Dale Peterson
Posted: November 15th, 2007 under US Government.
Comments: 5
Comments
Comment from Jake Brodsky
Time: November 15, 2007, 6:16 pm
These grades compare apples to oranges. I wouldn’t put too much stock in them. Those who create such things usually have an axe to grind. This axe is then used to cut some political opponent down to size.
If cyber security for normal business applications is hard, it pales in comparison to the situations we typically encounter with industrial control systems. While I agree that unless legislation happens, we’re not likely to see much activity on this front; I still maintain that people who lob these idiotic one letter grades at each other are not suited for the job of writing such legislation.
Comment from Dale Peterson
Time: November 15, 2007, 7:32 pm
Jake - I believe these grades are based on their compliance with SP800-53, which is the standard that some of the House Committee members suggested should replace NERC CIP. The systems may be apples to oranges, but the criteria is somewhat consistent.
Comment from Jake Brodsky
Time: November 16, 2007, 7:59 am
That may be true, Dale. However, this is like classifying a person based upon a single GPA number. Yes, they might have a very high GPA. However, it might be because they’re taking classes in basket weaving, music appreciation, and soap operas instead of calculus, literature, and physics.
Furthermore, security is one of those disciplines where the average doesn’t matter. If you’ve got a really strong front gate, but a wide open back door, you’re not better off than someone with two reasonably secure doors.
Single letter grades for security are a prelude to a political attack. It doesn’t matter on what basis these grades were given. They’re meaningless except to those who seek to make policy all over you.
Comment from rybolov
Time: November 16, 2007, 9:31 am
Grades are a metric, and a very simplistic one at that. What it measures is your information security management capability. If the agencies don’t have the budget (given by Congress) AND the execution by the agencies, then they will not improve. If I’m a CISO in an agency, I can only control half of the equation. Sounds like a plan for failure? Yes it is. Tell your congressional representatives that it’s partly their fault, they need to get the message, too.
Now the reason for the sad state of government IT security is simple: If you’re the Coast Guard, your job is rescuing capsized ships, not securing your IT systems. IT security is an “enabler” that lets you get your primary mission done. Now think about that, it means that if you have a choice to buy a new cutter or do IT systems maintenance, which one are you going to choose?
BTW, Congress does not get grades. The grades are only for Executive Branch agencies, so there are some Legislative and Judicial organizations that might surprise you: Congressional Printing and Mailing Office (can’t remember the exact name), Capital Police (guard Capital Hill and environs), and Administrative Office of the US Courts (records and archives case data for all cases in the US Federal Courts System).
Comment from Ralph Langner
Time: November 16, 2007, 11:56 am
You guys have classes on basket weaving and soap opera? Well, that’s what I call leading by example!
Write a comment