John Pescatore

A member of the Gartner Blog Network

John Pescatore header image 2
Twelve Word Tuesday: Ned Ludd Wasn’t Wrong About Everything Threatful Thursday: The Most Dangerous Malware is What Isn’t Being Blocked

What I Want For Wednesday From a New Adminstration: Change That Brings Qui Vive In

November 5th, 2008 · No Comments

“Remember, remember the fifth of November,
The gunpowder, treason and plot,
I know of no reason
Why the gunpowder treason
Should ever be forgot.”
Not only is today finally the end of the US presidential election campaign, it is also the 403rd anniversary of the foiling of the Gunpowder Plot to blow up the British Parliament. So, as we celebrate both Guy Fawkes Day and a new incoming administration,  I’d like to see blowing up some government approaches to information security that aren’t working be a cornerstone for “Change We Can Believe In.”
A good starting point would be looking back ten years at Presidential Decision Directive-63’s approach to the government’s role and emphasis in information security. In particular, a few PDD-63 statements jump out:
No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures from intentional acts that would significantly diminish the abilities of:         

  • the Federal Government to perform essential national security missions and to ensure the general public health and safety; 
  • state and local governments to maintain order and to deliver minimum essential public services. 
  • the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services. 
Any interruptions or manipulations of these critical functions must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States.
Oops, missed that deadline by a bit. But, note the common sense approach: the government focuses on what the government is supposed to do, private industry does the same, and a realistic goal to minimize, not eliminate, incidents.
  • Care must be taken to respect privacy rights. Consumers and operators must have confidence that information will be handled accurately, confidentially and reliably. 
  • The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection. 
  • The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall, to the extent feasible, distribute the results of its endeavors.
There are plenty of areas where PDD-63 was off the mark, but these three areas, and especially the last, are the ones that have been the most neglected over the past ten years since PDD-63 came out. The Federal Government certainly has not served as a model of how to do cybersecurity right. It has been, at best, reactive and well behind what private industry has done.
  
Not that the Federal Government hasn’t done some good things:
  • Pushing DNSSEC in the .gov domain 
  • Mandating laptop encryption and strong authentication for laptops
  • Trying to limit the number of desktop operating system images through the Federal Desktop Core Configuration standard
  • Some Departments (like Agriculture) mandating all software be vulnerability tested before deployment and that all software developers have training in secure software techniques
All good stuff, but all came from disjoint OMB unfunded mandates vs. any coherent strategy to have the government be a “model” for cybersecurity. If they were backed with budgetary directives or directed spending,  the biggest lever the government has (its spending) could be used to drive security forward.
  
There is change in the air, though the Federal government has so much intertia that it easily fights off direct change. Here’s to hoping the incoming administration and political appointees will take a look back at what PDD-63 and use that to focus on changing the government approach to information security from the inside out.
Share:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • MySpace
  • NewsVine
  • Slashdot
  • StumbleUpon
  • Technorati

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment