Comments on: US Gov’t Not Leading By Example http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/ This Month in Control System Security Fri, 30 Jul 2010 09:35:51 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Ralph Langner http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/comment-page-1/#comment-8918 Ralph Langner Fri, 16 Nov 2007 15:56:03 +0000 http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/#comment-8918 You guys have classes on basket weaving and soap opera? Well, that's what I call leading by example! ;-) You guys have classes on basket weaving and soap opera? Well, that’s what I call leading by example!
;-)

]]> By: rybolov http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/comment-page-1/#comment-8916 rybolov Fri, 16 Nov 2007 13:31:41 +0000 http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/#comment-8916 Grades are a metric, and a very simplistic one at that. What it measures is your information security management capability. If the agencies don't have the budget (given by Congress) AND the execution by the agencies, then they will not improve. If I'm a CISO in an agency, I can only control half of the equation. Sounds like a plan for failure? Yes it is. Tell your congressional representatives that it's partly their fault, they need to get the message, too. Now the reason for the sad state of government IT security is simple: If you're the Coast Guard, your job is rescuing capsized ships, not securing your IT systems. IT security is an "enabler" that lets you get your primary mission done. Now think about that, it means that if you have a choice to buy a new cutter or do IT systems maintenance, which one are you going to choose? BTW, Congress does not get grades. The grades are only for Executive Branch agencies, so there are some Legislative and Judicial organizations that might surprise you: Congressional Printing and Mailing Office (can't remember the exact name), Capital Police (guard Capital Hill and environs), and Administrative Office of the US Courts (records and archives case data for all cases in the US Federal Courts System). Grades are a metric, and a very simplistic one at that. What it measures is your information security management capability. If the agencies don’t have the budget (given by Congress) AND the execution by the agencies, then they will not improve. If I’m a CISO in an agency, I can only control half of the equation. Sounds like a plan for failure? Yes it is. Tell your congressional representatives that it’s partly their fault, they need to get the message, too.

Now the reason for the sad state of government IT security is simple: If you’re the Coast Guard, your job is rescuing capsized ships, not securing your IT systems. IT security is an “enabler” that lets you get your primary mission done. Now think about that, it means that if you have a choice to buy a new cutter or do IT systems maintenance, which one are you going to choose?

BTW, Congress does not get grades. The grades are only for Executive Branch agencies, so there are some Legislative and Judicial organizations that might surprise you: Congressional Printing and Mailing Office (can’t remember the exact name), Capital Police (guard Capital Hill and environs), and Administrative Office of the US Courts (records and archives case data for all cases in the US Federal Courts System).

]]> By: Jake Brodsky http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/comment-page-1/#comment-8915 Jake Brodsky Fri, 16 Nov 2007 11:59:04 +0000 http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/#comment-8915 That may be true, Dale. However, this is like classifying a person based upon a single GPA number. Yes, they might have a very high GPA. However, it might be because they're taking classes in basket weaving, music appreciation, and soap operas instead of calculus, literature, and physics. Furthermore, security is one of those disciplines where the average doesn't matter. If you've got a really strong front gate, but a wide open back door, you're not better off than someone with two reasonably secure doors. Single letter grades for security are a prelude to a political attack. It doesn't matter on what basis these grades were given. They're meaningless except to those who seek to make policy all over you. That may be true, Dale. However, this is like classifying a person based upon a single GPA number. Yes, they might have a very high GPA. However, it might be because they’re taking classes in basket weaving, music appreciation, and soap operas instead of calculus, literature, and physics.

Furthermore, security is one of those disciplines where the average doesn’t matter. If you’ve got a really strong front gate, but a wide open back door, you’re not better off than someone with two reasonably secure doors.

Single letter grades for security are a prelude to a political attack. It doesn’t matter on what basis these grades were given. They’re meaningless except to those who seek to make policy all over you.

]]> By: Dale Peterson http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/comment-page-1/#comment-8911 Dale Peterson Thu, 15 Nov 2007 23:32:50 +0000 http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/#comment-8911 Jake - I believe these grades are based on their compliance with SP800-53, which is the standard that some of the House Committee members suggested should replace NERC CIP. The systems may be apples to oranges, but the criteria is somewhat consistent. Jake – I believe these grades are based on their compliance with SP800-53, which is the standard that some of the House Committee members suggested should replace NERC CIP. The systems may be apples to oranges, but the criteria is somewhat consistent.

]]> By: Jake Brodsky http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/comment-page-1/#comment-8910 Jake Brodsky Thu, 15 Nov 2007 22:16:28 +0000 http://www.digitalbond.com/index.php/2007/11/15/us-govt-not-leading-by-example/#comment-8910 These grades compare apples to oranges. I wouldn't put too much stock in them. Those who create such things usually have an axe to grind. This axe is then used to cut some political opponent down to size. If cyber security for normal business applications is hard, it pales in comparison to the situations we typically encounter with industrial control systems. While I agree that unless legislation happens, we're not likely to see much activity on this front; I still maintain that people who lob these idiotic one letter grades at each other are not suited for the job of writing such legislation. These grades compare apples to oranges. I wouldn’t put too much stock in them. Those who create such things usually have an axe to grind. This axe is then used to cut some political opponent down to size.

If cyber security for normal business applications is hard, it pales in comparison to the situations we typically encounter with industrial control systems. While I agree that unless legislation happens, we’re not likely to see much activity on this front; I still maintain that people who lob these idiotic one letter grades at each other are not suited for the job of writing such legislation.

]]>