March 2009 Archives

I recently read an article written by Lt. Gen. Harry D. Raduege, Jr., USAF (Ret.) in SIGNAL Magazine titled "Evolving Cybersecurity Faces a New Dawn" that outlined what he calls the four-stage journey of cybersecurity.  The article is located at http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1784&zoneid=245

While the General approaches the issue from a DoD perspective, I think it translates very nicely to the cybersecurity attitude of both government and society in general.  It's an interesting article and I'll leave it to you to read but I'd like to comment on just one of his points.  In discussing stage three, General Raduege states that "We understand the nature of the threat and the implications for our nation, and there is a growing sense of urgency."

I couldn't agree more that there is a growing sense of urgency.  In fact, we've never heard so much buzz about cybersecurity on a daily basis and it's in the top five priorities of almost all CIO's.  However, my question is whether the right people are experiencing that "growing sense of urgency."  Those of us in the security business certainly get it and there seem to be little flares of interest in government from time to time (usually the result of a data breach or malicious attack that gets headlines) but getting the attention of our policy makers still seems to be a challenge. 

The nation spends $BILLIONS every year on thousands of projects that quite frankly, are of very little interest to, and have very little impact on, the vast majority of Americans.  One man's pork may be another man's job but think about how far even a small percentage of this kind of funding would go in addressing the nation's cybersecurity and critical infrastructure weaknesses at the federal, state and local government levels.  That would benefit the overall population of America far more than some of the small special interest groups on the receiving end of these earmarks.

There are a growing number of national cybersecurity champions, including General Raduege, and I'm excited about the proactive position of President Obama and Representatives Jim Langevin (D-RI) and Michael McCaul (R-TX) but we need more people leaning forward, way forward, on cybersecurity.  This is not a FUD issue and it's our responsibility to clearly communicate the sense of urgency without making it one.  What do you think?

Rod Beckstrom resigned last Friday from his post as Director of the National Cyber Security Center (NCSC) at the Department of Homeland Security after less than one year in the role.  Citing a lack of resources and support, it's reported that Beckstrom's NCSC, which is responsible for coordinating the government's response to cybersecurity threats, received less than $500,000 in funding for the past year.  I know; you know; and the government knows that $500K isn't going to go very far in addressing these big issues so if true, why are the expectations so low?  Perhaps the most compelling comment from his resignation letter though is how having NSA playing a significant role in the nation's cybersecurity was "bad strategy."  http://www.networkworld.com/news/2009/030909-beckstrom-resignes-ncsc.html

Mr. Beckstrom's announcement has led to some interesting discussions http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129429&instrc=news_ts_head about whether or not NSA should in fact be playing a lead role in the nation's cybersecurity mission at all. While the technical expertise that resides within NSA is beyond question, in an era of transparency in government, the issue may have some validity when you look at the historically closed environment of NSA.  On the other hand, the national cybersecurity agenda hasn't really made any great strides residing within DHS in the past few years so maybe that isn't a good fit either.  While NSA has received some less than positive press as a "spy agency" over the years, Information Assurance, with a focus on vulnerability and threat analysis, is one of their core missions.

So I suppose the real question is that if a national cybersecurity initiative is truly a national priority, where should the organization directing it live?  Do you think vesting NSA with a leadership role in the nation's cybersecurity effort is the right choice and if not at NSA, where should it be?

As some of you have undoubtedly heard, Dan Lohrmann has moved on to bigger things and accepted the position as Chief Technology Officer and Director of the Infrastructure Services Administration for the state of Michigan.  My Herculean task is to try and fill Dan's very large shoes in blogging about the latest cyber security news in government.  Dan's blog has been one of the few links I hit consistently because it's always been timely and thought-provoking.

A little about me.  I've been in the technology business my entire life and in the cyber security business for the past 17 or so years ... what an exciting ride it's been!  I was a Cryptologist in the US Navy and left active duty in 2001 where my last job was working with the Navy's Computer Network Defense Operations, the Navy Computer Incident Response Team (NAVCIRT), and the Navy Red Team.  Those early days in cyber security were incredible and just in case you're wondering, the Navy has some of the best security professionals in the world as well as an exciting and very relevant mission!  While at the NAVCIRT I met a very smart guy named Stephen Northcutt who was doing some really interesting work at the Navy Surface Warfare Center and building cool IDS tool called Shadow...perhaps you've heard of him?  After I left the Navy I spent a couple years with Raytheon building and running a Security Operations Center and doing some Certification and Accreditation (C&A) work which brought me face to face with the limitations and weaknesses of FISMA (it's not altogether bad, it just has limitations and I'll write more about that in the coming weeks as the Consensus Audit Guidelines (CAG) gets more legs.)

In 2005 I became the State of Colorado's first CISO and had the very enviable task of building the statewide information security program.  Really now, who wouldn't leap at that opportunity?  Governor Bill Owens recognized the significance of an all-encompassing security program and gave me the executive support and resources I needed to quickly establish enterprise security governance.  After Governor Bill Ritter took office in 2007, he raised the ante by hiring Mike Locatis as his CIO to consolidate all IT and security operations in the state.  I loved working with Mike but after three years in Colorado, opportunity knocked again and I moved to California to take over as CISO when Governor Schwarzenegger hired Teri Takai as his CIO to begin revolutionizing IT in the Golden State.  Talk about timing.  I now have the best and most challenging CISO job in the world and look forward to blogging about the exciting things happening in the government cyber security space.

I'm always looking for interesting things to write about so please feel free to post whenever you get the chance and if you have something provocative, let me know.