WT Business Beat

By Nick Wakeman

Blog archive
Nick Wakeman

Cyber Plan: Security exec remains underwhelmed by Obama’s vision

Plenty of industry and government officials have given President Barack Obama’s cybersecurity announcements rave reviews.

But don’t count John Prisco, president and chief executive officer of security firm Triumfant, as one of those reviewers.

While some executives assumed a wait-and-see status, few have declared themselves “underwhelmed and unimpressed” as Prisco did on his company blog.

He supports the idea of defining the problem and pushing for more government-private sector cooperation. “But after reading the report again I find myself very disappointed by what was released, as I saw very little in the report that showed tangible, immediate steps forward,” he wrote.

Some of the questions and concerns he raises include:

*Agencies continue to miss the Office of Management and Budget deadlines because there is little enforcement or consequences for noncompliance.

*Action is needed now because more analysis will just put cybersecurity efforts further behind.

*Too much reliance on larger companies in information technology security for guidance.

On this point he writes: “It is obvious that many of the changes needed to take significant steps forward will potentially upset the status quo and may therefore be disruptive to the established revenue streams that these companies enjoy.”

*Why announce the plan on a Friday of a short holiday week? That gives the impression that this is not a front and center priority.

I think Prisco makes some good points, particularly about the timing of a Friday announcement.

My questions:

*What are the critical questions we should be asking or looking for in the cyber report?
*What powers and responsibilities should the cybersecurity coordinator have? Who should be the coordinator?

Leave your comments below.

Posted by Nick Wakeman on Jun 02, 2009 at 9:53 AM

Reader Comments

Wed, Jun 3, 2009 templar New Hampshire

I have watched flaws remain unaddressed by clients in my consulting work, company profits continue to rise in firms that lost millions of personal records (TJX), and the ubiquity of credit and debit card use continuing unaffected by these losses. Records collected and published by the Privacy Rights Clearinghouse (http://www.privacyrights.org/ar/ChronDataBreaches.htm, 29 May 2009) provide significant evidence that there has been no real, or at least no effective, moral or financial incentive for organizations to fully invest in data security measures. It is vital to note that the general causes of the lost data tend to be from programming and system implementation errors (and just losing laptops...) that have been known within the industry and have remained uncorrected at these organizations. It is simply not true that any significant number of the attacks were the result of wily hackers outsmarting diligent corporate efforts. Even in firms that have firewalls or Intrusion Detection Systems (IDS), the tendency is that they do not have the staff to keep such systems up to date or to review risks revealed in system logs data. Another section calls for a public-private partnership to secure “the next generation of infrastructure.” This is a fundamentally erroneous approach. Something as large, diverse, diversified, and complex as our overall telecommunications infrastructure (to embrace everything from SCADA and the electric grid to on-demand movies for a fee) is simply never going to change in any definable ‘generational’ way. New technologies have historically been overlaid on existing structure. The so-called infrastructure of today consists of several mixed infrastructures of varying technologies. No matter what comes next, the security flaws that are in play today will persist for several changes of technology, until they are finally dropped as unsupportable. More importantly, this means that security strategies must allow for both improvements, such as more bandwidth to handle complex data encryption schemes, as well as allow for the inevitable legacy systems that will be on the backbone for years to come. In short - I completely agree with Prisco that there is a very big element of "they STILL don;t 'get it'" in the report. I fear they will continue to study, with the help of the large firms heavily invested in the present approaches (as in, keep it quite so few notice the Emperor has no clothes) and reality will have moved on - again - if solutions are ever offered. Solutions that will not fit the problems.

Wed, Jun 3, 2009 Barry

I agree with the concerns in Prisco's analysis, but would suggest another challenge not being adequately addressed in any of the public efforts: our penchant for heavily planned, highly structural analysis and organized planning, even if done well, actually makes us more vulnerable by making us predictable. Look at the federal security world and you will see a blizzard of programs, systems and interminable multilayered acronyms, most developed by bureaucrats and contractors intent on justifying their billing. What we need instead is a level of unpredictability that makes it difficult for the bad guys to figure out where we might be vulnerable and what we might do. There are, after all, experts in the terrorism and international criminal world just as smart as our experts and given time and reasonable knowledge of our often overly structured activities, they will find holes--see the rapidly growing identity theft problem for an example. The only way we counter that, in the end, is to be sufficiently amorphous and unpredictable, at least to the outside world, to make their probing both more difficult and more dangerous for them. Alas, the government/ contracting model tends to discount the kind of serendipity and "two guys in a garage" mentality that could make that happen.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB