The powers that be in Washington are not known for getting things done quickly, and the current power vacuum in information security in the capital is a painful case in point. The well-documented failure to find a coordinator to oversee security for the country is only one piece of the puzzle, and as time continues to pass with no help on the horizon, those in the know are growing increasingly restless and discouraged by the process.
Many security experts and Washington insiders have said that the government doesn’t necessarily need a single voice leading the charge on cybersecurity and that much of the work that needs to be done can go on either way. In a podcast last week, Amit Yoran, the former director of the National Cyber Security Division at the Department of Homeland Security, said that a lot of the programs and initiatives comprising the Comprehensive National Cybersecurity Initiative are ongoing, even without a coordinator to direct them.
However, the lack of a coordinator is just one part of the problem. There is a feeling in some circles both in Washington and in the industry that there is a fundamental lack of understanding inside the federal government of the issues that are facing the country and how to go about addressing them. In a blog post describing his experience at the recent Cyber Leap Year Summit, Gene Spafford sounds pessimistic about the potential for progress on this front.
Putting an arbitrary 60-90 day timeline on the proposed solutions exacerbates the problems. There was no interest in discussing the spectrum of solutions, but only talking about things that could be done right away. Unfortunately, this tends to result in people talking about more patches rather than looking at fundamental issues. It also means that potential solutions that require time (such as phasing in some product liability for bad software) are outside the scope of both discussion and consideration, and this continues to perpetuate the idea that quick fixes are somehow the solution.
As Spafford points out, this is a classic government response to a complex problem: look for achievable short-term goals that can win some attention and praise from the voters and worry about the big picture later, if at all. That works for politicians, but no so much for people who have to find solutions to real-life security problems.
Looking for quick fixes and politically expedient answers for the last decade is what has gotten the country in the unenviable position that it’s in right now, Spafford says.
However, this is yet another in long line of meetings and reports with which I have had involvement, where the good results are ignored, and the “captains of industry and government” have focused on the wrong things. But by holding continuing workshops like this one, at least it appears that the government is doing something. If nothing comes of it, they can blame the participants in some way for not coming up with good enough ideas rather than take responsibility for not asking the right questions or being willing to accept answers that are difficult to execute.
The appointment of a cybersecurity coordinator–no matter who it is–will not change that overnight. Indeed, overnight solutions aren’t really possible or even desirable in many cases. Instead, it’s a change in mentality and point of view that would make the biggest difference.