RSA-- Joe is not alone

From Ed Cone's KnowITAll blog:

Feds Failing Cybersecurity

by Ericka Chickowski

Last week, the White House's acting senior director of cyberspace, Melissa Hathaway, spoke in front of a packed audience at the RSA conference in San Francisco, presumably to fill the security community in on the latest news about the Obama administration's strategy for cybersecurity.

Count me among the many audience members who were left feeling underwhelmed. Hathaway was never able to establish rapport with the audience due to her robotic reading of a script that included no real or tangible details from the upcoming report on cybersecurity collaboration, which she's been working on for the past two months. The best she could do is tell the audience to expect details in "the coming days."

Read the rest of the story....


Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p> ...and I think that pretty much sums up the situation with government regulation of cyber security.  First, they need to assign responsiblities, and standards.  Second, they need to come up with metrics for those standards, Third, they need to evaluate the results from this, make recommendataions, and go back to step one.  Lather. Rinse. Repeat.  </p> <p> Sadly, there aren't enough experts yet to amount to a signficant political force --not even for office IT applications, never mind industrial applications.  </p> <p> So, the answer is naturally, "Your Cyber Security is very important to us, please stay on the line while we figure out what we should be doing about it."  </p> <p> <img src="/sites/all/modules/tinymce/tinymce/jscripts/tiny_mce/plugins/emotions/images/smiley-yell.gif" alt="Yell" title="Yell" border="0" /></p> <p>   </p>


  • <p>I must admit that I no longer get the message here. </p> <p>In this blog we keep hearing a strong voice advocating regulation. Video evidence is available that this voice is heard on Capitol Hill. Now we’re getting presented a second (?) opinion from some other blog that portraits the Feds as fools. What exactly are people expecting from the government?</p> <p>The U.S. government has spent more on cyber security and CIP than any other country in the world, starting years before the DHS was in existence. U.S. researchers and national labs are enjoying juicy budgets that are unrivaled anywhere else in the world. Senators are treating the subject serious and prepare for new legislation. Anyhow all of this is seemingly not enough for the hosts of this blog.</p> <p>I believe it is fairly easy to portrait DHS folks as bureaucrats if one wants to. On the other hand, I am wondering which security researcher with something significant to discuss would have problems in establishing direct contact with the proper people at DHS.</p> <p>My prediction is this. No matter what the outcome of the upcoming regulation/legislation on cyber security and CIP will be, we will learn in this blog how misguided it is.</p>


  • <p> Ralph, there's a difference between being in support of regulation and being in support of apparent cluelessness. It was obvious to many people, not just "this blog" that Melissa Hathaway was either trying hard to not say anything at all, or was clueless. </p> <p> If the former, forgiveness may be forthcoming when she actually reveals her report. If the latter, the God help the Republic. </p> <p> I am convinced that it is the former. But not everyone else is, and the purpose of this blog is to air opinions in an "unfettered" way. Your opinion, for example. (grin) </p> <p> My prediction, for what it is worth, is that eventually we'll come to the correct balance between regulation and legislation on the one hand and practice on the other. We did when we shook up things over environmental pollution back in the 1960s. We did when we shook up things over carbon in the atmosphere in the 1990s and early 2000s. We'll widen the economic calculus once again for cyber and physical safety and security. Functional security must come...and it will come. </p>


  • <p>The difficulty we all face is this: Do something, or it will be done to us. </p> <p>I think there are many aspects of industrial control system security that are simply nowhere near ready for public legislation or regulation. For example, without appropriate patching and validation standards (or even a chain of responsibility), we're not ready to manage embedded system security flaws. We don't have good forensics or auditing standards either.</p> <p>Yet, if we wait for those standards, someone else will inevitably impose office-oriented standards on industrial control systems. That would be an unmitigated disaster in the making. </p> <p>So a delay isn't a bad thing. In fact, I propose we do what we can to buy time, while perhaps giving people such as Ms. Hathaway some half baked verbiage that sounds like a solution, while we work out the details.</p> <p>What I've just written makes me feel slimy and unclean, but that's today's political reality. Image matters more than substance. So let's give them lots of smoke and mirrors until we can figure out what needs to be done, who can get it done, and where the resources will come from. </p> <p>Sigh. </p>


RSS feed for comments on this page | RSS feed for all comments