Would the CSIS Suggestions To Obama Make a Difference?
I finally had a chance to read through the Center for Strategic and International Studies [CSIS] paper on Securing Cyberspace for the 44th Presidency. This group appears to have some clout so some of the recommendations may come to pass.
Still mulling the recommendations over, but here are my early thoughts.
1. The reorganization of responsibility will introduce delay and is unlikely to improve the situation
Let’s say the National Office for Cyberspace comes to be early in the Obama administration. We are in for an ineffective time period and disruption while the new organization is ’stood up’ and everyone figures what their new role is in this organization. Is it six months, a year or longer before the new organization is effective? Anyone who has dealt with government stand up efforts and associated bureaucracy is probably shaking their heads.
Many loyal blog readers have been involved in one or more re-orgs of large organization, especially with arrival of new management. How often has that really made a dramatic difference? I don’t see the organizational structure being even close to the biggest impediment to date.
2. This whole consolidation / czar concept that is the rage is flawed, at least as related to information security.
We like to think that we can bring in a superstar with charisma to become the czar, e.g. drug czar, education car czar, cyber security czar, …, and all will be well. In this control system cyber security effort I’d argue the key is the people three, four and five levels down from this charismatic czar.
The one exception where a new structure and charismatic czar would work is if you have a talented and motivated team in place that is being stopped from being effective by completely inept leadership. That is not the case here.
The biggest problem I have seen is a lack of talented control system security resources in the various government organizations trying to solve this incredibly hard problem. To make matters worse there is an incredible amount of turnover. Look at how many people we have heading up the control system security effort at NCSD. Please note that I said lack, not absence. There is some control system security talent in DHS, DoE, EPA, GAO, … just not close to enough and not there long enough.
Security is hard, detailed work on technical and administrative security controls. It is also not a one-time event, play the “security is a process” card here. It is going to take a large, broad and skilled team to address all the critical infrastructures.
3. Politics Does Not Support Addressing The Most Significant Risks First
Can you imagine anyone in government saying we are not going to address critical infrastructure cyber security in ten to twenty states because they have a low population and would affect the economy much less than a successful control system cyber security attack on any of the other thirty states? It can’t be said or accepted in the government. This is a crude example of the problem of being in the government. There are so many times when the right answer is “we are not addressing X serious risk now because we are addressing Y even more serious risk first”. Imagine the press a statement like “US Government admits it has no plans to stop X attack and will not address this problem until 2010.
When we perform a first control system security assessment with an asset owner, there is always a huge amount of cyber security work to be done to get to an accepted risk level. It can be overwhelming, and this is just one organization. They have to understand an organization can’t go from zero to strong security in a year, probably not even in two or three. However by focusing on the items that offer the greatest risk reduction, the improvement in security posture is typically huge in that first year.
I think the most important sections in our assessment reports is the list of prioritized 5 short term and 5 medium term actions. Our good clients get those done in year one and then move onto the next items that offer the most risk reduction. Our best clients have a very strong control system security program after three to five years and at that point they are primarily focusing on maintaining and auditing their security posture.
If I were control system security czar, I would try to identify a small number of high risk reduction actions that could be accomplished in six months, twelve months, and then try to prep for the actions for the next year. A huge amount of risk would consciously not be addressed at all, and this is what is not acceptable when you have to testify to Congress or report to the President and his staff.
Author: Dale Peterson
Posted: December 15th, 2008 under Big Picture.
Comments: 3
Comments
Comment from Jake Brodsky
Time: December 15, 2008, 4:06 pm
Dale wrote “If I were control system security czar, I would try to identify a small number of high risk reduction actions that could be accomplished in six months, twelve months, and then try to prep for the actions for the next year. A huge amount of risk would consciously not be addressed at all, and this is what is not acceptable when you have to testify to Congress or report to the President and his staff.”
hmmm. I have to agree with your last assessment. However I don’t see where the authority to work on the other stuff comes from. This is part of the reason why so many want to create “Czars” of all these things. I’ll agree that it isn’t an ideal solution.
I guess the real question is what would it take to push control system security forward? I tend to think that aside of a very enlightened few, most take the opinion that unless there is a regulatory mandate or some very strong business case, there is no reason to secure anything.
This is particularly the case for utilities which are owned by local or state government and self insured.
As someone who generally believes in free markets, it hurts me to say this: I think there has to be a regulatory mandate to make security as important as safety, or it won’t happen.
Comment from Ralph Langner
Time: December 15, 2008, 5:05 pm
“I tend to think that aside of a very enlightened few, most take the opinion that unless there is a regulatory mandate or some very strong business case, there is no reason to secure anything.” said Jake. Well, I am involved little with utilities, but my experience is not that much different from manufacturing organisations: The enlightened few are in middle management. It is our duty to arm those in the trenches with evidence and argument to win the battle against senior management. To stretch the argument, it’s more important to engage management rather than hackers (as the most prevalent threats are unintentional anyway).
Besides that, I would rather like to know Dale’s short list of low hanging fruit items. (Mine includes items like personal responsibility, policies, and perimeter defense.)
Comment from Ron Southworth
Time: December 16, 2008, 8:00 am
Hi Dale,
What I have not seen anyone discuss so far in the public arena is some of the more positive aspects.
Ralph mentioned the trenches and whilst I agree that there is a need to continue working in the trenched this the report identifies the need to look at gaining C-level support. The Top down approach Is something we need to do to make lasting changes the to our culture?
What about the suggestion of targeting these problems with a more global perspective. The all hazards and risks approach sounds very positive to me.
I would be curious to see your top 10 list too Dale as this is worth talking about as well
Write a comment