Tuesday, February 9, 2016

President Obama's Mirror

The last person in world anyone would expect to author an opinion piece on cyber security is the President of the United States.  He did not write it, of course, but signed it.  It appears in the Wall Street Journal today.

This is, after all, the administration of the Post Office, OPM, the State Department, IRS, Medicare et al hacks that have shown how well the Feds have been dealing with cyber threats.  But, the essence of the need for such a pronouncement lies in the statement that 9 out of 10 US citizens think their personal information is out of control.  That is a big number.  

The President wants his initiative to put $3 billion into renovating Federal IT, mentioning that Social Secrutiy still uses systems and code from the 60's.  This reminds me of the OPM hack where the security budget doubled after the third breach.  Throwing good money after bad is not a good idea, and throwing $3 billion at IT is certainly a waste of money.  They will just build a new Ops Center and bring in more contractors who can spend that money.  SSA has been doing that since the 1960s or it wouldn't be in the shape it is in.  There are fundamental problems if they can't project upgrades and pay for them over time.  This lack of security planning is at the root of most of the hacks the Fed has seen.  Look at the IG reports for OPM from 2012 to 2015 to see what I'm talking about.  Identified problems went unfunded for years until the bubble burst.

Offering scholarships and "forgiving student loans" to strengthen our corps of cyber experts left me wondering who wrote this piece and what the agenda could possibly be.  Getting colleges and universities to strengthen their cyber security courses and include them in business and technical curricula is more important.

And the final piece of wonder comes from the opening of a new cyber security center of excellence in Maryland which will draw together experts who will work on new state of the art security systems for  our industry partners.  Apparently, industry is not doing well at developing their own and needs government help in doing it.  DHS just opened a similar place a couple of years ago, but must not have been able to achieve much because this one is needed.  There are over 60 places like this in the US, most built with security money that should have been used to do security and not work on future technologies that never seem to come out of them.

It is time to focus.

Policy is good area to look at, given the lack of requirements for security of systems in government.  Our security policies went down the toilet when government started thinking NIST could write policy.  They just write guidance, leaving agencies to do what they want.  That has led to the kinds of problems we have today.  Nothing is mandatory;  nothing is done.  The new Risk Management Framework and continuous monitoring is an unfunny joke that allows managers to escape any responsibility for security of agency systems.

Put some of that money into security of government leaders who get hacked every time we turn around.  Given them secure computers - tablets, cell phones, and desktops - that communicate securely and keep them off of their own computers that don't.  Make that mandatory.

Centralize the security budgets of agencies and force them to use that money for security of systems, not fluff.  When the Army builds a golf course with funds intended to secure its networks, we have a right to asked why.  Building new centers of excellence is not getting us excellence in security.

There is going to be a CISO for the Fed.  Whoever they appoint needs some authority over the agencies or it will be for show.  The agency CISOs need to report to that person and be accountable to that office.  The OPM fiasco would never have happened if somebody above OPM had listened to the needs their IG identified.






No comments:

Post a Comment