HLS: Not Serious XVIII
Part of the reason why only a well-compensated glutton for punishment would even consider serving in the cyber security czar position:
Industry cyber safety experts were unanimous in praising the Department of Homeland Security (DHS) for finally acknowledging the importance of cyber security in the final version of the National Infrastructure Protection Plan (NIPP) released on June 30. However, they also cited some substantial failings, including the absence of any guidance on how commercial cyber systems should be protected and how both private and public sectors ought to work together.
The very generally worded plan is supposed to lay the groundwork for 17 sector specific plans, ostensibly containing the specifics on how to integrate both physical and cyber infrastructure protection. Those plans, which will be published within 180 days, are being worked on by federal-industry sector coordinating councils (SCC), such as the one in the IT area. Paul Kurtz, executive director of the Cyber Security Industry Alliance, co-chairs the IT SCC group that is writing the sector plan. Corporate and industry compliance with those plans will be voluntary. [emphasis mine]
While Kurtz says that the eventual IT sector specific plan can be valuable — even without mandatory compliance — he adds that its major limitation, vis a vis private sector cyber security, is the absence of a cyber security guru at DHS. The department created a new position of assistant secretary of telecommunications and cyber security more than a year ago, but it remains vacant.
You gotta love industry: they complain that the government isn’t doing enough while they simultaneously make sure that if the government actually did try to lay down the law, they wouldn’t actually have to comply. Granted, the very infrastructure that we are trying to protect is almost exclusively in the hands of private industry, but when industry plays a vital role in the security and prosperity of the nation (military material doesn’t move if the ‘Net is down – kind of important in a time of war) Uncle Sam has to get a little somethin’-somethin’. No one is asking for a document that can be broken down into five-levels of sub-sections, but is a meta-document that spells out roles and responsibilities too much to ask for? Apparently.
“If our nation is hit by a cyber Katrina that wipes out large parts of the Internet, there is no coordinated plan in place to restart and restore the Internet,” said John Castellani, president of the [Business] Roundtable, when that group’s report [on the NIPP] was released. […]
“If there’s a cyber disaster, there is no emergency number to call — and no one in place to respond. Our nation simply doesn’t have the kind of coordinated plan in place that we need to restart and restore the Internet,” Edward Rust Jr., chairman and CEO of State Farm Insurance Companies and head of the Roundtable security task force’s working group on cyber security, said in releasing that group’s report.
Back in the day we experienced this thing called the Morris Worm. We didn’t have a plan to bring back the then-nascent Internet from the brink then, but resourceful engineers figured it out. The government solution then was the creation of CERT/CC at Carnegie Mellon University, which is a great pool of computer science and security talent. Did I mention that CERT/CC is one of the key bellybuttons that is supposed to be pushed when the Internet stumbles? Did it escape you that the acting head of cyber security for DHS is on loan from CMU? Great talent pool + Chartered responsibility + Inside man = woefully inadequate performance? Something isn’t computing.