I admit that I am not much of a cyber-techie. I do know a little about computers though. When Microsoft announced they were not supporting Windows XT a while back, I had a bit of a cyber-rebellion because I refuse to spend anymore money on Mircrosoft Operating Systems, which I assume, much like the NSA, report your every keystroke and video back to some central repository for “troubleshooting.” Right….But I instead elected to move to linux. I’ve not noticed a degradation in what I can do, don’t have to worry about virus checkers and internet security programs that slow my system down….and all for FREE! Sometimes the simpler solutions are the best. I think we have so many problems with IT implementations and cyberattacks because they are so complicated and intricately interwoven that it is impossible for those who make decisions to understand what they are deciding. Unlike my previous post on the JSF (Too Big to Fail), the cybersecurity and IT world is just the opposite: Too big not to Fail!” It’s just too complicated and the consequences are too dire to trust decisions in the Information and Communications Technology (ICT) world. (See, you are already behind, it’s no longer IT and Cyber, it’s ICT) Come on, get with it!
I received a briefing yesterday on a report recently completed by the GSA and DoD entitled, Improving Cybersecurity and Resilience through Acquisition.” It’s signed by Frank Kendall from DoD and Dan Tangherlini of GSA. I’ve read through it a few times and I swear I still can’t make heads of tails out of it, and I very much doubt that the signees did either. The report is about increasing the use of cybersecurity standards in Federal acquisitions. Keep in mind there are similar standards for National Security Systems, so I assume they are so unique that they need their own (there’s always an exception isn’t it?) They make six recommendations in no particular order of priority:
- Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
- Address Cybersecurity in Relevant Training
- Develop Common Cybersecurity Definitions for Federal Acquisitions
- Institute a Federal Acquisition Cyber Risk Management Strategy
- Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted Sources” Whenever Available, in Appropriate Acquisitions
- Increase Government Accountability for Cyber Risk Management
I don’t know about you, but I don’t feel any better after reading them than before! Heck, the wording is so complicated and full of Pentagon-speak I can’t figure out what they mean. To be fair there are explanatory paragraphs written in the same cyber-jargon that most decision makers in the Pentagon are not likely to understand. It’s fine for the techies to toss all those words around, but wouldn’t it be better when stuff like this is released to the public it would be in the Cybersecurity for Dummies format? At least have the techies who wrote it sign it.
This all flows from the Cyber Stone Tablet, “Framework for Improving Critical Infrastructure Cybersecurity” , done by NIST and released last week. Like most bureaucratic products it’s steeped in organization, tiers, overlays, constructs, phases and interrelated touch-points. I dare you to understand it! I’ve seen this before. Remember the Office of Business Transformation? They spent so much time developing papers and frameworks and touching those interrelated points that they forgot to do anything. It was all about organization not about doing. I see this cyber mess going down the same path..lots of organization and logical interrelationships with countless coordination meetings between Governing Councils.
How would I do it?
- Put one person in charge-the Cyber Czar (even though we don’t like Putin very much)
- Listen to the techies, but not be controlled by them
- Get buy-in from top leadership that no one is exempt from our policies and regulations
- Stop admiring the problem and start doing visible, effective steps to fix the problem
- Insist that the Cyber Czar has the authority and the money to reward the stars and punish the evildoers. (nothing gets done without control of the money in this town)
- Make it mandatory for all!
I cringe when I see words like “this is a living document” and “Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation’s critical infrastructure.” We need action verbs and Proper nouns in this framework
Without those steps, the whole schmegegge will flop because It’s Too Big Not To Fail.