Wednesday, March 11, 2009

CyberSecurity Strategy: GAO Report

The GAO has released a new report, entitled National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture.

Detailed within the report are key recommendations to address some of the primary gaps in our cybersecurity strategy that have been discussed for years.

The GAO identified 5 areas in further need of attention:

1. Bolstering cyber analysis and warning capabilities
2. Completing actions identified during cyber exercises
3. Improving cybersecurity of infrastructure control systems
4. Strengthening DHS’s ability to help recover from Internet disruptions
5. Addressing cybercrime

Key strategic improvements recommended by the GAO's cybersecurity experts include:

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy.
3. Establish a governance structure for strategy implementation.
4. Publicize and raise awareness about the seriousness of the cybersecurity problem. 5. Create an accountable, operational cybersecurity organization.
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.
7. Bolster public/private partnerships through an improved value proposition and use of incentives.
8. Focus greater attention on addressing the global aspects of cyberspace.
9. Improve law enforcement efforts to address malicious activities in cyberspace.
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts.
11. Increase the cadre of cybersecurity professionals.
12. Make the federal government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.

None of these recommendations or areas of focus are new or unexpected. Do we really believe we need to raise awareness regarding how serious cybersecurity problems are? Everyone that I know is painfully aware - it's the fierce competition for dwindling budget and resources that stands as a major obstacle.

As far as public/private partnerships, the last session I attended with the FBI Deputy Director of Cybersecurity provided information that I had read in E-Week weeks before, along with a plaintive request for those of us in the audience to share what we knew to assist the FBI in their efforts. That seemed a little one-sided.

I'm also part of the FBI's InfraGard program, and while not permitted to discuss many (any?) of the details, it's no secret in the info security community that the intelligence bulletins that they provide are neither timely nor useful.

Like most people in the private sector, I'm quick to opine that government intervention seldom serves as an agent of improvement. Quite the contrary - when was the last time you heard anyone wax poetically about the agility and acumen of the federal Department of Whatever? It's always the private sector that innovates and actions because there's an underlying profit motive at work.

It will be interesting to watch as the Obama administration trots out a new approach, and I hope it works. All the scuttlebutt about the NSA taking over the cybersecurity mission actually seems promising, since their skillsets appear better suited for the challenge than, say, the Department of Homeland Security. Plus, the NSA has been able to keep us from perishing in an atomic holocaust since the 50s, so they have that going for them.

Read and digest the report at your leisure, but the devil is in the details. Many a brilliant concept has died a slow death when it came to implementation. I hope the Obama administration takes what the thinkers have assembled and allows some doers to make it so.

No comments:

Post a Comment

Please tell me what you think.