I have selected the National Strategy to Secure Cyberspace, both the rollout event at Stanford and the ensuing debate, as the seminal security headline of the month. Sometimes government solves our problems, usually it doesn't. Sometimes it is an effective catalyst for debate, which leads to action.
The Strategy defines 5 different audience levels and makes recommendations for best practices within each:
Level 1: Home User and Small Business
Level 2: Large Enterprises
Level 3: Critical Sectors
Level 4: National Priorities
Level 5: Global
Most of the presentations were done for Level 3: Critical Sectors. In the public sector, this includes the Federal, State and Local governments as well as higher education. On the private side, this includes Banking & Finance, Electric, Oil and Natural Gas, Water, Transportation, Information & Communications and Chemicals. Most of the specifics had to do with the creation and utilization of Information Sharing and Analysis Centers (ISACs). You can't judge the entire strategy from the short presentations, just the mood and tenor of the people involved. I would certainly say the commitment from the leadership in attendance was palpable, will it lead to real solutions and changes?
I'd have to say that, on the whole, the press for this event has been on the negative side. The Strategy did not go far enough with its recommendations for most.
Rick Forno, noted author and security iconoclast, has spent a lot of time analyzing the Strategy and its earlier roots in the Clinton administration, and he is not happy with the outcome so far. He has summed up the feelings of a lot of people who have followed cybersecurity issues closely since before 9/11. For one thing, there is displeasure at the makeup of the Critical Infrastructure Protection Board:
'..a good portion of this Presidential Board chartered to provide security advice to the President consists of nothing more than executives and civic leaders likely picked for their Presidential loyalty and/or visibility in the marketplace.'
On the other hand, Forno is quite impressed with portions of the strategy dealing with corporate governance:
'In the areas of corporate security improvements, the Strategy indeed shines, as it recommends Board-level accountability for information security, proper security administration, and better integration and alignment of information security with senior management and business goals.'
Like many others, there is impatience at the platitudes and lack of action:
'what is currently needed is not a prescription but a mandate on what must be done (and by when) to improve federal information security, not another list of things that "should" be done but most likely won't.'
Finally, Forno feels the Strategy is remiss in not tackling the core flaws in our security infrastructure for fear of offending the entrenched market leaders:
'the Strategy has no concern over the current 'monoculture' environment for operating systems, choosing instead to support the development of new security products, technologies, and services to be built around (or over) the current (and heavily-flawed) 'foundation' for most of America's critical systems.'
It is hard to argue with these straight forward points, and I really can't. However, I have been trying focus not on what the plan says, but what is really going to happen next. I was lucky enough to be invited to attend the Strategy event in Stanford on September 18th, and I think the specifics of the "plan" are less important than the fact that we had this event at all. The level of people involved in the debate about information security has steadily risen over the past few years to the point where we now have several direct reports to the President talking about it. I think this event will in the long run actually prove to be a major milestone, not because they solved any problems, but because of the breadth and the depth of the people who are now focused on information security.
To bring this up to a higher layer, I truly believe we are in the beginning of a turning point in the security industry. I think if you combine this strategy with the impact of the terrorist attacks, the Wall Street scandals and people's general mood about our specific industry, we will see significant changes. People are mad at how our corporations are run, mad at how issues are swept under the rug, perhaps mad about the results they have received from the security industry so far and we will see a willingness to embrace change. By this I mean that instead of security companies improving on last year's models like the auto industry, we are going to see completely new solutions and new companies entering the security market. It is only by historical accident that we have the current security solutions we have, and since we have not seen problems getting solved sufficiently, I think we will see products getting combined, changed and new product segments being formed. I think this turning point applies to the corporate bureaucracy as well and "board level accountability for information security" that Forno pointed out.
There is a lot of latent skepticism within my colleagues of the security industry, and for good reason. The bottom line is that the industry to date has had a lot of good ideas about how to make systems more secure in theory, but has not come up with guaranteed ways to reduce risk that you will be attacked - the industry has not come up with good ways to make CIOs sleep at night (so far only the drug industry has). Ask yourself this - would you rather be the CIO of a company that had an unlimited security budget, knowing that a top hacker was planning to attack you - or would you rather be the CIO of a company with no security budget, not knowing who, if anyone was targeting you? I would prefer the last option, which is a sad statement. I don't believe in simple explanations like sysadmins are lazy or management doesn't care - the fact is that both care quite a bit, but they don't have faith that their efforts will help, so they choose to spend their time on efforts that they know will produce ROI. It is like voting, some people choose not to vote because they do not believe it will make a difference, so why bother?
However, I am more optimistic than that. The failure of the security industry thus far is not a failure of security vendors, it is a shared failure. When customers do not prioritize security, when regulatory bodies do not specify security, vendors do not receive the critical input they need to prioritize their R&D and build the solutions that are really needed. This is my take away. A healthier debate among the consumers of security technology is going help vendors build what is really needed. I think that some security problems will be looked at in an entirely different way, and we will see new approaches to develop solutions. I think we should expect that many problems will be defined in non-security terms, which will bring in vendors from other technology segments.
I think the current state of the industry is going to be improved by the increased scrutiny it will be getting from this point forward. When customers start getting better security solutions, they will have more confidence, and greater willingness to spend money on security people, audits, standards compliance as well as products. The missing piece is legislation. Security won't get improved by voluntary means alone, there needs to be some enforcement of regulations, I believe this will come in "version 2 or 3" of the National Strategy. In any case, you can read it for yourself at www.securecyberspace.gov.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.