Bill Brenner at CSO recently wrote an interesting piece highlighting the urgency of having a cybersecurity leader.
Although I do not agree with him that the simple DDOS attacks on government Websites could have been prevented by having a Cybersecurity Czar, I do agree with him that we need a cybersecurity leader – now!
We all rejoiced when President Obama ordered a 60 day cybersecurity review shortly after taking office. We were all excited when, on May 29th, a report summarizing the findings of the cybersecurity review was released and the president declared cybersecurity as a national security priority for his administration, and a personal goal for him. The President promised to appoint a cybersecurity coordinator (Cybersecurity Czar) and assured that the new official will have regular access to the Oval Office. Many of us (security pundits) were ecstatic and offered suggestions and praise. We were all a little disappointed that he did not name the new “coordinator” that day, but we were assured that the appointment would be announced soon. It has been more than sixweeks since that announcement – and there is no appointment in sight. Obviously there is no shortage of rumors on whom the next Cyber Czar will be or why the President hasn’t named one .
We understand that things move slowly in government and that the President has a lot of other pressing issues that he needs to deal with, but here are five reasons that the appointment of a Cybersecurity Czar (coordinator) is a matter that requires urgent attention:
- There is a lot of money being spent on cybersecurity everyday – with no comprehensive strategy. Not only are individual agencies spending millions of dollars on cybersecurity but a highly classified, multiyear, multibillion-dollar project, approved by the Bush Administration called CNCI -- or "Cyber Initiative" – had a budget of $30 billion. This initiative was implemented with the goal to secure government, commercial and critical infrastructure computer systems against foreign and domestic intruders. We are talking big bucks here. Would you as a CISO let your business areas spend on security initiatives as they please without any coordination, communication or strategy?
- Critical infrastructure needs immediate help. Our critical infrastructure needs help. It is antiquated, prone to viruses and worms, and people doing stupid things ultimately leading to costly disruptions in service. Add to this the potential threats associated with foreign government hackers (Electricity Grid in U.S. Penetrated By Spies) and you’ve got an urgent matter on your hands. Other critical infrastructure breaches (FAA says info on 45,000 workers stolen in data breach) and commercial data losses (Hackers Breach Heartland Payment credit card system) brings no consolation.
- FISMA has utterly failed at securing government infrastructure. We have all come to realize that FISMA has done little to improve the security of government systems, and created an additional layer of processes and a healthy revenue stream for beltline consulting companies. The Cybersecurity Czar needs to take over the responsibility of ensuring FISMA 2.0 is in line with the current realities on the ground and is able to change the focus from “compliance” to security.
- Capture the momentum and excitement. I have never seen such optimism and excitement in the security industry for a government initiative. Security experts and the industry at large is offering to help in whatever capacity they can to improve the nation’s cybersecurity posture. We need to seize the opportunity and come up with a defined strategy (not high level goals and objectives) and strong leadership that can channel this energy into positive action.
- Perception is almost as important as reality. Many people hailed Mr. Obama’s speech on May 27thas a strong warning to our adversaries that we are serious about security. The recommendations from the cybersecurity review were also heralded as the right first step. But nothing has happened since. We don’t have a plan, any specifics on how those recommendations will be implemented nor a Cybsersecurity Coordinator. By not following it up with action, what message are we sending? We need to at least be perceived as taking security seriously.
Do you agree that we need a Cybersecurity Czar in the first place? What kind of skill-set do we need in a Cybersecurity Czar? Who do you think will be Mr. Obama’s pick? As always, I’d value your feedback, comments, and thoughts.