The new cyber coordinator position (AKA cyber czar) as described is a position with no real authority, lots of responsibility, and minimal resources. In most worldly views this is an abhorrent lack of command and control for the cyber security arena that smacks of failure before it starts. I on the other hand a lowly professor at a third tier university think not only can the job get done, the mere fact that so many luminaries have passed on the position is good indication of what is wrong with the bureaucracy in the first place. They’re all a bunch of dunderheads.
I guess we can be pretty sure I’m not going to get the position or anything like it in the future as I don’t have a fine pedigree of corporate finesse, I don’t have a mistress, I pay my taxes, I’ve never accepted a bribe, slept with a co-worker, I am divorced, I drive a SUV, I don’t smoke, and I play golf like a spastic orangutan on meth. In other words I’ll never be offered the job so I have nothing to lose telling somebody else how to do the job.
Information assurance and security of large enterprise systems is a solved science. It is a horribly mangled and ridiculously implemented process but we know how to do it. We just don’t. With over 40 years of past experience we have a long history of doing it wrong and announcing a cyber czar is just another in a long list of ridiculous actions taken again and again to solve a problem from a top down perspective. There is a lacking vision and equivocation of corporate disinterest relying on vendor or technology rather than people to solve the issues. Every time you get some big-wig corporate expert to walk through the door to talk about what is relatively a people problem you might as well suck the inside of a grocery bag and turn blue. Inside the belt-way though the business world walks supreme right off the cliff of failure. We only have 40 years of evidence to prove this as true. Just 40 PLUS years.
Cyber security is sexy. Labeling every tom-dick-harry wannabe infamous hacker attack through the distributed denial of service bot net from heck attack of the week as cyber warfare is just one example of this cognitive malfeasance. The reports from GAO, DOD, various supremely gifted at writing the same thing think tanks, and pundits of who enjoy making consulting money off their punditry have more at stake in keeping this problem rolling along unsolved. Saying the market place will solve the problem is an ignorance that can only be applauded for the mere comedy of the statement. Sure. Some major corporation is going to just work themselves right out of job. Shareholders will be happy. “Why see how successful we were our stock just plummeted into the ground”, is the refrain every CEO wants to say. As all us old consultants used to say, “There is way more money in pro-longing the problem than solving it”.
So, now that every red blooded American corporate citizen is calling me an ivory tower pinko commie socialist sympathizer while ignoring my military service and 20 years of experience in information technology. How do we solve this problem?
Start with government systems.
Secure architectures are well known and used in many places of government. But, this isn’t always a technical problem. In fact most computer security isn’t a technical problem. Poor user advocacy, horrible training, poorly communicated expectations, inadequate information technology training, professionalism of information technology professionals, credentialism over service, inconsistent organizational standards and policies, and much more feed the poor security and usability characteristics of government networks.
The answer to this is to standardize on a basic set of requirements. Wait you say, “We have all that in FISMA”. Sure you do and I have a bridge to sell you. Wait that was the Mayor of Chicago who was selling bridges. Anyways, having a policy does not mean people follow it. In fact compliance is very low even though most government systems requirements are very low barriers to entry. So, actually following through on measures for violation of compliance should occur. The position of cyber czar is not to “punish” but to identify. More of a prosecutor versus judge in cyber security issues. That is within the power of the cyber czar. Use the rules on the books to cut organizations off who do not comply. Fire CIO’s and CSO’s who fail to comply.
Open the collective bargaining can of worms and put into union agreements that failure to follow secure computing practices will result in termination. Where in the world does the government think it has the right to release personal information, impact national security in a negative way, destroy peoples lives by allowing for poor security, and when we find out some under paid GS-5 is responsible they get a free-ride? In any place but government that is a firing offense. FIRE THEM. Well if we took this person issue seriously we would fire them. Then again we know that nobody in government really takes this seriously so who cares.
Take government standards groups like NIST and have them design a testing suite for most of their standards. This is done in some cases but not all. Basically for weights and measures there are tests to assure standardized results. However, in computing and networking technologies that is not always the case. This a basic paradigm shift in expectations. Do it. The cyber czar should do this fast. It is a primary requirement for creating standardized compliance procedures. You have to know what compliance looks like. Assessment and testing tools will do that. How can you expect somebody to comply with a requirement when there is no test?
Another point is the acquisition of technology. Stop acquiring technology. No really. Here is the deal. The fact that Moores law exists does not mean you have to keep up at the cost of security and sanity. The fact that the speed of light exists does not mean you have to keep up. Whoa. All those fast adopters, information technology professionals, software vendors just had heart attacks. Listen. Are you going to listen to drug dealers and drug addicts on how you are going to write drug laws and regulations? Leadership is about telling people what do to, and more often what NOT to do. If your vendor says they are going to end of life a software system kick them to the curb and NEVER DO BUSINESS WITH THEM EVER AGAIN. For gosh sakes you are talking about the FEDERAL GOVERNMENT one of the largest enterprise installations on the planet. Don’t ask software and operating system vendors when they will provide updates. TELL THEM WHEN YOU will be doing updates. This is a great job for a cyber czar. Get back control of the enterprise. Don’t just continue doing the same idiotic crazy stuff because that is the way you’ve always done it. Nobody would allow a furniture salesman to walk into their house, remark that the couch is out of warranty and no longer supported, and force you to buy a new couch. In fact I kind of think that old couch might be kind of comfy.
This is just a short list of elements that government could do. They are supposed to represent vision and leadership. Unfortunately the myopic view of the federal government is about accruing power and less about actually solving problems.
Then there was industry.
The glows of corporate security officers are shining examples of the excellence of the market place in defining security as a primary concern. Well maybe not. When a data theft occurs in general there is little actual loss of corporate revenue. When you look at identity theft those losses are passed along to consumers as higher fees or built into profits and losses. In other words every time a company fails to secure their systems they see little risk other than regulatory. If companies as a group are failing to meet security needs it can be eloquently argued that they make more money with less security. Completely against common knowledge lack of regulation feeds a practice that has second and third order consequences to the consumer that are disconnected from the perpetrator of risk (the companies). If you are a corporation and a security system (people, process, technology) is going to cost 1 billion dollars, and total loss might be 100 million dollars (recovered quickly through higher fees that might continue for years thus becoming profit) there is no chance as CIO/CSO you are going to spend the money needed to secure. However, the theft when it happens (oh and you know it is going to happen) might represent 10 billion dollars in loss to consumers and a significant impact on the economy when considered in aggregate to the totality of the economy. Looking to the market place to drive security centric practices is like trusting your daughter to the auspices of the Hells Angels on free pitcher Friday. Actually I trust the Hells Angels much more than most CEO’s. The Angels may be criminals but they have honor.
What we need is some regulation. Oh, there will be those who say regulation costs money, it impacts profit, is anti-American, yadda yadda yadda, bite me. Unregulated water supplies make no sense, unregulated electricity is anathema, and if you think about it just about everything is regulated to create common welfare. Somewhere in the past the first amendment got conflated into data warehousing and poor security practices as protected speech. Corporatism at the cost of society kills Americans just as bad as terrorism. In fact while they are out standing corporatism up lets start conflating corporatism with terrorism. Most Americans simply don’t understand what stealing their identity really means. Most Americans don’t understand how much data is transacted and used AGAINST them. Then to make matters worse companies are poor to gleefully negligent custodians of Americans data. Some companies consider data to be a product. That is all of your personal information is theirs to sell and use as they see fit. That is your medical, financial, social, personal data that you would not want anybody to have. It is a form of commerce.
What we need is regulation now. Regulation should insure that privacy is assured. Privacy should be assured through good computing practices. Good computing practices are well defined by NIST and other government entities. You want to run a gas station you have to follow many practices that are regulations. You want to own a liquor store, sell food, or cut somebody’s lawn you have to follow regulations. Yet there is little in the way of federal regulation protecting consumers. What federal regulation is in existence is more about taxes and business practices of transferring money than they are about protecting consumers. In other words most laws and regulations on the books are about government and business or business and business interfaces. Consumers left out to wave in the wind as juicy targets. Few if any in Congress actually care about Americans. They will wave that standard all the time though when it is to their advantage. It is time for the Czar of Cyber to grab this issue and push it hard. We need a privacy act based on the Constitution to explicit protect Americans from the predatory practices of companies. I just heard Google fart. No congressman is going to take this on.
Specific regulations that should be pushed (this is just a small set to think about heavy on privacy).
Privacy Act, single holder requirements with non-disclosure, time based destruction, non-warehousing, failure to comply measures;
Data retention, non-holding of any data, destruction requirement, use with permission only, failure to comply measures;
Computer security, minimum NIST, system assurance, training, failure to comply measures;
Mandatory disclosure, system failures requirement to report, data holder failure to secure, failure to comply measures;
Liability of disclosure, tort and civil infraction liability for failure, second and third party liability in depth (you took the data you are responsible not the back up tape company or transport company), failure to comply measures;
A cyber czar cannot make these things happen. They can provide leadership to congress and a central point to help inform policy. I just want to see congressman get up and say “We don’t give a damn about your privacy and we’d rather take 10 million bucks from Google than protect you from identity theft”. Go ahead and say it congressman. Most of the laws exist in watered down forms in many states and in some cases are even on the books for the feds. The problem is that there are so many holes and so few methods for actually acting on them compliance is almost negligible. Make compliance mandatory and back it up. Chasing down pedophiles may be the low hanging fruit for the FBI, but I would rather see them taking on real computer security issues. Like whacking companies who don’t give a damn about Americans and exist on the bones of their customers. Make profit a real issue and put measures into place that are perceived as risks so companies will comply. Congress has left much of this in the realm of the courts and reliant on TORT law (where it hasn’t been whacked into insolvency) so the consumer is left with nothing. Thanks congress those big businesses and your malfeasance has left us with no real hope for secure computing systems. Maybe a cyber czar can raise these issues. No major corporations’ are going to like what needs to happen. Even if it is the right thing to do. Maybe the Hells Angels will take contracts on CEO’s from the Cyber Czar? Heck the CIA contracted Blackwater to take out Al Queda. CEO’s are much worse for national security than terrorists.
The cyber czar can move along things like patent reform. Perhaps the cyber czar can impact software vendor malfeasance though pushing warranty requirements on software. Sure Microsoft just took me off their Christmas Card list, but I know creating software is a creative effort filled with risk. Those are great excuses to explain the low quality rapid development to shrink-wrap cycle that drives large profits and decreases security. Sorry software vendors but y’all suck. Over in my ivory tower reading this document filled with typos and poor grammar what do I have to say about software vendors? Ya’ll suck. Blaming it on millions of lines of code, not enough good coders (I know dozens that are out of work), and saying consumers won’t pay for the expense are great excuses to ruin the national security of America. Get this through your heads folks. Writing poor software is easy and quick AND profitable. Writing good software is hard and slow AND profitable. The difference is whether the company is thinking about consumers or reporting to shareholders for the next quarter. In this line of thinking consumers should be able to sue directly the shareholders beyond the veil of corporate shadow for software that injures them. Go ahead and put that into your risk portfolio for the next release of leaky operating system version 2. Oops I think Warren Buffet just aspirated a Martini Olive.
Cyber security is a big problem that moves among the factions of government like a hyper kinetic ping pong ball. Well if you imagine the ping pong ball made out of uranium moving at a million miles per hour and about ten thousand degrees. Nobody really wants to fix it, but everybody wants to talk about it. Like a geekgasm gone horribly wrong everybody wants a pieces of this sexy topic so they can peel funding off into their pet non-geek projects. The intelligence community like NSA really isn’t interested in seeing everybody secure their systems so they can’t peek on them. Really law enforcement talks a good game but if all those pedophiles, hackers, and drug dealers secured their systems and encrypted their data they would be done. Like the jocks yelling “NERDS!!”, the MBA’s in government keep ripping of the technologists underwear and stealing their lunch money. In all honesty though like the prophetic 80’s comedy of nerds versus jocks where the nerds were more interested in tech than girls. We’ve got an entire generation of technologists who are more interested in shiny tech than security.
A cyber czar may have no power but they can provide vision and leadership through consensus building. Then again the monolithic thing called government harkens back to another old movie. You know government is a lot like that entity that moves over and takes over everything making all stuff just like it and ending up one giant “Blob”. I won’t be the cyber czar and I’m kind of happy many of the candidates who were supposedly offered haven’t taken it. We don’t need another corporate pirate CEO, or a life long government loser of poor security practices, but what we do need is a visionary who will piss people off. Listening to the malarkey that people I know in government have to deal with in draconian security for little real gain. Listening to people who are impacted by strange dictates by nerdlers (nerd Hitlers). Shake things up or fail. A poor binary but a truism in the reality of the situation.
Cyber czar wherever you are good luck.
1 comment for “If I was czar for a day: Poking stakeholders is fun”