Tuesday, March 24, 2009

Moving Cybersecurity from DHS to White House

From here:

“Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.
CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they’re at risk of a cyberattack, “critical” computer networks from the Internet. “I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity…”

and a DHS response here:

I'm a simple guy and I'm going to over simplify my response. So here goes.

Politics and money aside, because there is alot of both for this issue DHS would be dumb not to fight to keep control of mission for the sheer amount of $ being thrown at it, without strong leadership and authority it wont matter who is in charge of cybersecurity for the US.

When I was just getting interested in security and still in college I went to Black Hat New Orleans 2002, and listened to Erik Birkholz's "How To Fix a Broken Window" talk.

From the talk description:

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”

Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.

The amount of the above that still rings true 7 years later is just ridiculous but the important thing I took from that talk 7 years ago that is still true today is don't give people the responsibility of security and no authority to do anything about it.

So what does that have to do with DHS & the White House and who's calling the shots? Well, the fact that DHS and U.S. Cert have all the responsibility but no authority. The U.S. Cert can send .gov organizations alerts, advice, guidance, incidents, threats, whatever all day long, but at the end of the day they really cant make those .gov entities do shit. That is the sad reality, those other agencies in most situations don't have to listen to the cert or can merely say "we took care of it" and there is no secondary investigation to be done or allowed. Additionally, there seems to be no punishment for receiving failing FISMA grades or having numerous amounts of security incidents, unless you call getting extra funding "to fix the problem" a punishment.

The simple version is this:
If things don't change...if the authority to withhold funds, internet access, or the ability to fire people who show gross incompetence or the inability to handle the security responsibility of their organization, if we dont stop putting people in CSO/CIO positions who have no security background, if getting a failing FISMA grade doesn't actually mean anything, and if we dont change the broke ass way that some .gov agencies operate it wont matter who is responsible for cybersecurity or how much money you throw at the problem its still gonna be jacked up. In fact, who's to blame bad guys for breaking into networks that are just so damn easy to break into?

1 comment:

Anonymous said...

Interesting read. It definitely is well known within the security industry that government security CAN be a joke, depending on which agency your lookin at, and in that respect the FISMA does do a good job to show who's lacking, but it doesn't do much else like you said. And the security Vendors love that, a bad FISMA grade is a great excuse to come in and attempt to sell high dollar dollar network access control systems and the like... but the fact of the matter is, the grade doesn't mean sh*t about how secure that agency is.
Now, something interesting to think about is the talk about the CAG(Consensus Audit Guidelines) that has been floating around since early 2008. These CAG would more accurately show the relative security of a given agency or department, or at least that's what I gather from reading the drafts... possibly a real step forward. You can take a look at a copy of the drafts over at SANS.
Apparently they plan to widely adopt this plan as I read the following agencies were involved in creating the draft:
The National Security Agency Red Team and Blue Team, the Homeland Security Department, the U.S. Computer Emergency Readiness Team, the DOD Computer Network Defense Architecture Group, DOD Joint Task Force – Global Network Operations (JTF-GNO), the DOD Defense Cyber Crime Center; the Energy Department’s Los Alamos National Laboratory, the Army Research Laboratory, the Transportation Department, the Health and Human Services Department, and the Government Accountability Office. Also, MITRE Corp., the SANS Institute, and commercial penetration testing and forensics experts at InGuardians and Mandiant.

SANS.org CAG link: