There were a couple of good things about the new Executive Order on Cyber, but the big surprise was Tom Bossert, the Cyber Advisor at Homeland Security. He is articulate, composed and can handle the press - no small feat in Washington. Generally speaking, Homeland Security was the armpit of public policy and completely devoid of any understanding of Cyber, so this guy will make some difference. A few more people like him and we could say Homeland can speak for part of the cyber business - the civil government side, at least.
One good thing came of the policy: a recognition that the Federal government is an enterprise and should be managed like a large corporate data system, policy and money management at the top, and implementation in the other parts of the enterprise. Quite a few people do not know that this idea came well before this EO but nothing was ever actually done the way it was described by the Obama Administration. They had good policy, but seldom followed any of it.
The second is the use of cloud services, something most of the agencies will benefit from. They will save money as service providers give them a better product that should be more secure than the mish-mash they have today. This is already being done in AWS, Google and internal Federal systems run by the government itself. Unlike most projects, this aspect has been going on pretty smoothly.
They are still going to use the NIST Framework which is not good policy. There are no minimum security requirements and it is still a risk-based, rather than a threat-based policy. It is a good policy for people who make policy because it covers their collective asses. They can always point to something in that mass and say, "They didn't do that part" when something bad happens. Never mind that the last 7 or 8 big hacks of government have all used basically the same attack techniques, about which nothing has been done, either technically or policy wise. That is the sign of a failed policy - and insanity - by doing the same thing over and over expecting a different result.
Another interesting thing about this is the EO wasn't published. Nice to see that not everything the White House does is available for the world to see. In the name of openness, the Obama Administration published lots of things that were dangerous to us.
No comments:
Post a Comment