U.S. Cyber Security: Blurred Vision
I've been asked by some of my esteemed colleagues to start voicing my own opinions a bit more on the blog, "create some original content", and pour some of my own thoughts onto the Interwebs, so to speak.
This is probably not a great idea, but we'll see.
In any event, let's look at the topic at hand.
It has been beaten, butted, and batted around quite a bit in the past few weeks -- let's look at a rough timeline of political issues which bring me to this point.
Let's look at the power struggle (I prefer to call it confusion) in the U.S. Government with regards to "Cyber Security" -- in a nutshell.
In the latter part of 2008, the U.S. House of Representatives Homeland Security Committee determined that DHS was not capable of providing proper critical infrastructure protection (and other Cyber protection capabilities) due to a number of issues.
This may well be a political maneuver, or it may well actually have merit.
A number of other issues ensued, including the inauguration of a new U.S. executive administration, which gave this entire issue another direction entirely.
This is also probably due to a group of excellent InfoSec Professionals which were commissioned to produce a set of Cyber Security initiatives for the 44th Presidency. And they did an excellent job.
What becomes of that advice, however, is anyone's guess right now.
Which is what compels me to write this, at this late hour (both figuratively and literally).
The most recent "conflict" to appear on the the U.S. Cyber Security scene is being fought in the back rooms of the intelligence community, the political stage, and the operational community.
And it's not pretty.
What this penny-ante pissing contest is doing -- right now -- is pitting people against one another who would normally be helping each other, from a political and technical vantage point.
And that is not a good thing.
The major problem right now with regards to understanding, defending against, and both tactically & strategically winning the battle in Cyberspace is division of resources.
This fight cannot be won by a single U.S. Government agency, or any U.S. Government agency for that matter. Anyone who believes that is not only disconnected from reality, but also delusional, in denial, and probably doesn't properly understand the problem.
They simply don't have the same perspective, both technically and philosophically.
The problems are multi-fold -- cyber crime takes all shapes, forms, means, and methods. Governments, in my opinion, are woefully unprepared to even begin to understand this, much less prepared to handle these problems on their own.
Budgets are being slashed, there is no proper security training, and most infrastructure is hobbled together with only the slightest of security in mind.
And I'm not talking about SCADA systems, either. I'm talking about the basics.
This is a multi-stakeholder problem, and must become a "public-private relationship".
What does that mean?
Well, it means that we all need each other more than we realize.
There is already a lot of collaboration on a day-to-day basis between security researchers, incident response organizations, government entities (both foreign and domestic), law enforcement, etc.
But it is not working so well.
I'm not sure, but this entire discussion of "...who will be responsible for U.S. Cyber Security.." is the wrong discussion altogether.
We are all responsible.
And we are all failing.