This is a rehash of every cyber initiative ever made by Homeland Security and does next to nothing that is new, bold, or even different than the soap opera leadership of Homeland Security in cyber.
It calls for Homeland Security, the agency already responsible for coordinating industry-government information sharing, to step up creation of Information Sharing and Analysis Organizations (ISAOs) which have been around since I worked on the President's Critical Infrastructure Protection Committee, 10 years ago. Nothing about them is new and Homeland allowed them to languish to the point of almost going out of existence under their bold management. At one point there was only one still functioning. They did almost nothing to get the kind of sharing legislation that was needed for liability protection, and did little to support those who did participate.
The EO points to the National Cybersecurity and Communications Integration Center, which was a reconstructed coordination center that already existed in Homeland Security when it was built. It duplicated everything the operations center did, but moved it out of the old building it was in, and shined it up. It needed work, but that money could have been spent to do something productive instead of building another layer of "coordination" on top of all the rest that was already being done. I once counted 24 coordination centers all doing cyber and don't think another one will help the other 24 coordinate anything.
The Order mentions The Industrial Security Program (it was forgotten for years) and adds a line for Defense to coordinate with Homeland on the protection of classified information and to get clearances for those industry people that might need them. They have been able to do this for years and certainly didn't need this order to do it again. Second, the Industrial Security Program only protects classified information and we haven't had an incident yet where somebody said they lost classified information in a hack. There is a mistaken belief that Defense goes out to contractors and helps them protect their computer systems from attack. That isn't true and won't likely to be true until there is expertise enough in government to do that. Don't hold your breath for that one.
When the President needs a new initiative to backdrop a conference on Cybersecurity and Consumer Protection, he turns to his staff and says, "Get me an Executive Order to backdrop this speech." The White House staff calls Homeland, and this is what we get. Why didn't they look at this thing before they issued it?
No comments:
Post a Comment