From here:
http://infosecurity.us/?p=7343
“Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.
CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they’re at risk of a cyberattack, “critical” computer networks from the Internet. “I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity…”
and a DHS response here:
http://news.cnet.com/8301-13578_3-10048063-38.html
I'm a simple guy and I'm going to over simplify my response. So here goes.
Politics and money aside, because there is alot of both for this issue DHS would be dumb not to fight to keep control of mission for the sheer amount of $ being thrown at it, without strong leadership and authority it wont matter who is in charge of cybersecurity for the US.
When I was just getting interested in security and still in college I went to Black Hat New Orleans 2002, and listened to Erik Birkholz's "How To Fix a Broken Window" talk.
From the talk description:
C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”
Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.
The amount of the above that still rings true 7 years later is just ridiculous but the important thing I took from that talk 7 years ago that is still true today is don't give people the responsibility of security and no authority to do anything about it.
So what does that have to do with DHS & the White House and who's calling the shots? Well, the fact that DHS and U.S. Cert have all the responsibility but no authority. The U.S. Cert can send .gov organizations alerts, advice, guidance, incidents, threats, whatever all day long, but at the end of the day they really cant make those .gov entities do shit. That is the sad reality, those other agencies in most situations don't have to listen to the cert or can merely say "we took care of it" and there is no secondary investigation to be done or allowed. Additionally, there seems to be no punishment for receiving failing FISMA grades or having numerous amounts of security incidents, unless you call getting extra funding "to fix the problem" a punishment.
The simple version is this:
If things don't change...if the authority to withhold funds, internet access, or the ability to fire people who show gross incompetence or the inability to handle the security responsibility of their organization, if we dont stop putting people in CSO/CIO positions who have no security background, if getting a failing FISMA grade doesn't actually mean anything, and if we dont change the broke ass way that some .gov agencies operate it wont matter who is responsible for cybersecurity or how much money you throw at the problem its still gonna be jacked up. In fact, who's to blame bad guys for breaking into networks that are just so damn easy to break into?
http://infosecurity.us/?p=7343
“Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.
CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they’re at risk of a cyberattack, “critical” computer networks from the Internet. “I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity…”
and a DHS response here:
http://news.cnet.com/8301-13578_3-10048063-38.html
I'm a simple guy and I'm going to over simplify my response. So here goes.
Politics and money aside, because there is alot of both for this issue DHS would be dumb not to fight to keep control of mission for the sheer amount of $ being thrown at it, without strong leadership and authority it wont matter who is in charge of cybersecurity for the US.
When I was just getting interested in security and still in college I went to Black Hat New Orleans 2002, and listened to Erik Birkholz's "How To Fix a Broken Window" talk.
From the talk description:
C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”
Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.
The amount of the above that still rings true 7 years later is just ridiculous but the important thing I took from that talk 7 years ago that is still true today is don't give people the responsibility of security and no authority to do anything about it.
So what does that have to do with DHS & the White House and who's calling the shots? Well, the fact that DHS and U.S. Cert have all the responsibility but no authority. The U.S. Cert can send .gov organizations alerts, advice, guidance, incidents, threats, whatever all day long, but at the end of the day they really cant make those .gov entities do shit. That is the sad reality, those other agencies in most situations don't have to listen to the cert or can merely say "we took care of it" and there is no secondary investigation to be done or allowed. Additionally, there seems to be no punishment for receiving failing FISMA grades or having numerous amounts of security incidents, unless you call getting extra funding "to fix the problem" a punishment.
The simple version is this:
If things don't change...if the authority to withhold funds, internet access, or the ability to fire people who show gross incompetence or the inability to handle the security responsibility of their organization, if we dont stop putting people in CSO/CIO positions who have no security background, if getting a failing FISMA grade doesn't actually mean anything, and if we dont change the broke ass way that some .gov agencies operate it wont matter who is responsible for cybersecurity or how much money you throw at the problem its still gonna be jacked up. In fact, who's to blame bad guys for breaking into networks that are just so damn easy to break into?