While Alex has dealt rather masterfully with the consequences of the trumped-up Russian SCADA hacking incident, I’d like to point to a different aspect of it: the cybersecurity “wake up call.” The Springfield incident was immediately called a “wake up call” for cybersecurity practitioners. Of course, we now know that it was not a cyber attack. But suppose , for the sake of argument, that it really was the work of nefarious Russians. That would be a real cause for concern, wouldn’t it?

As Bob Gourley tweeted, we’re now in our 4th decade of “cyber wake up calls.” The only thing more played-out in the cybersecurity field is the phrase “digital pearl harbor.” So why does the phrase continue to predominate? Some of our panelists at the FedCyber Government-Industry conference talked about problems with the private sector’s lack of attention and budgetary emphasis on security and lack of recognition from policymakers of the evolved nature of the threat. While these are worthy explanations, perhaps something else is at play: the cyber snooze button that we perpetually hit whenever we are “woken up.”

Cybersecurity obviously is a huge concern to policymakers and analysts. The private sector is also taking note. But the problem, as Bob has said in the past, is that on a day-to-day basis security is simply not a priority. It is seen as a technical matter rather than policy issue that demands the attention of CIOs, and is based on a reactive model rooted in point defense of all access points rather than defense in depth, does not tackle enterprise management as a whole, and is rooted in the fallacious assumption that the PC as the only point of vulnerability within an organization. Moreover, as Martin Libicki points out in his book Conquest in Cyberspace,  there is no such thing as forced entry in cyberspace. The vast majority of successful attacks are the result of simple weaknesses that were not proactively addressed.

To be more simple, the cyber snooze button is continuously hit because many simply do not want to wake up to the reality that cybersecurity is no longer an exotic subfield limited to a small cadre of technical experts. It is a basic element of living in a hyperconnected world that will only grow more so as more and more elements of our lives become networked. Trusting your toaster will be the least of your concerns. But for whatever reason, we cannot accept this reality and make prudent–if sometimes painful–adjustments.

Rather, cyber is cast in terms of an exotic and unstoppable threat akin to megaterrorism or nuclear warfare. The problem with this is that it tends to encourage outlandish and unworkable solutions, lead to scares akin to the one that Alex has analyzed, and casts cyber as a strategic matter to be dealt with by politicians rather than an problem with multiple dimensions. There is the nation-state based cyber threat, certainly, but many firm and agencies deal day to day with opportunistic criminals–not Stuxnet or a crack team of elite PLA infowarriors.

Until we can learn to see cyber in less dramatic terms, we will continue to have multiple wake up calls, and a few scares like the Illinois water pump incident. Unfortunately, some organizations and individuals will have hit the snooze button one too many times, and will face threats—although certainly less severe than Vladimir Putin’s colleagues wiping out critical infrastructure–with the potential for serious fiscal, personal, or public relations damage.

You may also like -

Crying "Cyber Attack" in IllinoisAlex's 2012 Tech PredictionsFederal R&D PrioritiesInterested in Cyber Security? Read (and support) the new Cybersecurity Legisl ...The Cyber Power IndexThe Cybersecurity “Wake Up Call” and the Snooze ButtonCrucialPointLLCCrying “Cyber Attack” in IllinoisCrucialPointLLCAlex’s 2012 Tech PredictionsBob Gourley2011 in CybersecurityBob GourleyCybersecurity Workforce FrameworkCrucialPointLLC

Department of State: Critical to US International Cyber Strategy

Cyberspace is interconnected technology. It is everywhere. It is an ecosystem with many stakeholders and literally billions of actors. The rise of Cyberspace as a capability has already changed us in many ways, and for years it has been having an impact on the nation’s strategy. Now, after some great staffing and planning by some of the sharpest minds in our nation and after coordination with allies, industry, academia and scores of thought leaders, a new International Strategy for Cyberspace has been articulated.

As a watcher of cybersecurity developments for the last 15 years I view this as a remarkable strategy, for many reasons. One is that it is a strategy with a clear vision:

The cyberspace environment that we seek rewards innovation and empowers  entrepreneurs; it connects individuals and strengthens communities; it builds better governments and expands accountability; it safeguards fundamental freedoms and enhances personal privacy; it builds understanding, clarifies norms of behavior, and enhances national and international security.    This cyberspace is defined by four key characteristics:

• Open to innovation
• Interoperable the world over
• Secure enough to earn people’s trust
• Reliable enough to support their work

The strategy goes on to articulate an approach that combines diplomacy, defense and development. And it advances seven key priorities founded in wise examinations of both our own needs and abilities and the vision we have for enhancing the prosperity of the nation and international community.

Another reason I like this strategy is it is actionable. This strategy provides the vision and objectives required for federal agencies to build their implementation plans, so you can expect continued actions from multiple departments and agencies.  In the Department of State, for example, we can expect the entire foreign service to be inspired by this strategy. Want some proof that this is actionable? Consider who was at the White House rollout of this strategy. The leadership of the Department of Defense, Department of Homeland Security, Department of State and Department of Commerce where all there underscoring their intent.

I would like to leave you with a personal endorsement. I believe in this strategy. It is well coordinated, is focused on the right objectives, respects our nation’s ideas and gives us all a framework of actions we can form up on. I believe this strategy is important enough to be read and studied broadly, not just by national security professionals, and not just by the cyber security community. We should all form up on this strategy.

To help in this regard, start your own study by visiting the links below:

• Howard Schmidt’s blog entry at Whitehouse.gov Launching the U.S. International Strategy for Cyberspace
• The Fact Sheet for the Strategy
• The Full Strategy

Related articles

• White House Releases New Cyberspace Strategy (pcworld.com)
• Lynn: Cyberspace Strategy to Build Coalition of Nations (waronterrornews.typepad.com)
• White House Releases Comprehensive Cyberspace Policy (informationweek.com)
• Obama outlines vision for future cyberspace (seattlepi.com)
• Launching the U.S. International Strategy for Cyberspace (whitehouse.gov)

You may also like -

DoD's New Strategy for Operations In CyberspaceDeputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveCyber Command Achieves Full Operational CapabilityCTO Perspectives on Cyber Security BillPros and Cons: Cyber CommandCyberspace not like the Serengeti, says paperCrucialPointLLCKilling Trees for CyberspaceHaft of the SpearThe End of Cyber Security (Part IV)Haft of the SpearSINET Showcase 27 October 2010CTOvision.comUS Cyber Command Conducts Tactical Cyber ExerciseCTOvision.com

On 12 May 2011 the Obama Administration unveiled its cybersecurity legislative proposal.

The entire proposal is available for your review at this link: cybersecurity legislative proposal. But I most strongly recommend you read the context provided by the government’s Cybersecurity Coordinator and Special Assistant to the President Howard Schmidt first. Howard provided a clear introduction to this legislation that includes a framework that will make the details easy to remember. The three thrusts to remember are that this proposal will:

1. Help safeguard personal data and the right to know when your data has been compromised
2. Help protect national security by addressing threats to infrastrucure
3. Help protect federal systems while creating stronger privacy and civil liberties protections that keep pace with technology.

That is a very short introduction to well thought out legislative proposal. Please dig deeper and read both Howard’s blog entry and the draft legislation. I have read it all, and I strongly support these very positive measures. Like many others who track these issues, I would have supported a package that did even more, but the fact is we have to move out now and this package of draft legislation is fantastic and deserves our support now. I would like to see it immediately passed and then we can all collectively work on ideas for future enhancements.

For more please start with Howard’s blog post here: http://www.whitehouse.gov/blog/2011/05/12/administration-unveils-its-cybersecurity-legislative-proposal

The meat of his post is copied below:

The Administration Unveils its Cybersecurity Legislative Proposal

Posted by Howard A. Schmidt on May 12, 2011 at 02:00 PM EDT

Today I am happy to announce that the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation.  This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity.  Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy.

When the President released his Cyberspace Policy Review (pdf) almost two years ago, he declared cyberspace as a key strategic asset for the United States and its security just as vital.  This legislative proposal is the latest achievement in the steady stream of progress we are making in securing cyberspace and completes another near-term action item (pdf) identified in the Cyberspace Policy Review.

The Administration proposal helps safeguard your personal data and enhances your right to know when it has been compromised. In addition to educating you on how to protect yourself from cyber threats with the Stop. Think. Connect. campaign, we believe organizations should inform you when your sensitive personal information may have been compromised.  This notice not only helps you to protect yourself against harms like identity theft, but also incentivizes organizations to have better data security in the first place.  Today, our country has a patchwork of 47 state notification laws.  Our proposal simplifies and strengthens this reporting requirement and reaches all Americans.

It helps protect our national security by addressing threats to our power grids, water systems, and other critical infrastructure. These systems are the backbone of our modern economy; many are privately owned, but all merit our support in protecting them.  The Administration proposal advances the security of our increasingly “wired” critical infrastructure, strengthens the criminal penalties for hacking into the systems that control these vital resources, and clarifies the ability of companies and the government to voluntarily share information about cybersecurity threats and incidents in a privacy-protective manner.  This is behavior we want and need to promote.

It helps the U.S. government protect our federal networks, while creating stronger privacy and civil liberties protections that keep pace with technology.  Since our Federal systems are under constant pressure by hackers, criminals and other threats, the government needs better tools to detect and prevent those threats.  Part of cybersecurity is about finding malicious programs, and stopping their spread before they have any impact.  This proposal allows the Department of Homeland Security (DHS) to implement intrusion detection and prevention systems that can help speed our response to these incidents.  The Administration proposal also designs a framework for protecting privacy and civil liberties that includes new oversight, reporting requirements, and annual certification to ensure that cybersecurity technologies are used for their intended purpose and nothing more.

The Administration’s proposal is one of a number of important steps we are taking towards achieving better cybersecurity.  We look forward to working with Congress as it moves forward on this issue.  Together, with a shared responsibility to enhance online safety and security, we can ensure cyberspace continues to be an area defined by growth and innovation.

• Read the fact sheet (pdf).
• Read about the Administration’s Cybersecurity Accomplishments (pdf).
• Read the text of the legislative proposal.

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

Related articles

• White House Releases Cybersecurity Plans (informationweek.com)
• W.H. brings cybersecurity plan to Hill (politico.com)
• The Administration Unveils its Cybersecurity Legislative Proposal (whitehouse.gov)
• White House Set To Unveil Cyber Security Plan: Sources (huffingtonpost.com)
• Two Themes from Obama’s Cybersecurity Proposal: Private Auditors and Immunity (emptywheel.firedoglake.com)
• AP sources: White House set to unveil cyber plan (seattletimes.nwsource.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)

You may also like -

Announcing the FedCyber.com Government-Industry Computer Security SummitMature Models for Healthy and Resilient Cyber SystemsSpecial Summary: Enterprise security storiesFederal R&D PrioritiesGovSec conference is March 29-31 2011Obama Appoints Privacy Board MembersBob GourleyDeputy cyber coordinator leaving the White HouseCrucialPointLLCCybersecurity Receives Emphasis In State Of The Union AddressCrucialPointLLCGuardians of the Grid: Agencies Unite to Bulk Up Utility CybersecurityCrucialPointLLCWhite House, Congress Renew Cybersecurity PushCrucialPointLLC

General Alexander is keeping busy at NSA/CYBERCOM

Last week, General Alexander (director of NSA and commander, USCYBERCOM) spoke at the RSA conference in San Francisco. He pointed out the the explosion of technology over the past 10 years. That users went from an average of 250MB of personal files, to over 128GB. The fact that 70% of Americans online are on Facebook – that 600M users worldwide are as well. This, mixed with the huge advances in programming (Watson and Deep Blue) lets us know that we do have the capability to protect and defend our advanced networks.

General Alexander reminded us of attacks on Estonia (2007) and Georgia (2008) as well Latvia, Lithuania, Azerbaijan and Kyrgyzstan. His concern is that some of those attacks might be used on the 15K DoD networks. These networks are scanned over 1 million times a day, yet receive 20k email attacks a month, thousands of independent network assaults. The DoD is scanning 92TB+ and 150B+ packets every day.

The biggest problem is that our public/private infrastructure is the backbone to the network. Additionally, there is a need to secure the defense industrial base. This was made certain by the USB flash drive issues in 2008. General Alexander states, ”Take combined talent and figure out how we secure the network.”  The “combined talent” is that in academia, private industry, and public servants.

The general brought up needs to have widespread cyber education. For our citizens and our civil servants (military and government). The people need to be educated on their role in cyberspace and how they can be a factor in this domain.

Lastly, General Alexander focused on how important STEM + R&D efforts will be to cyberspace dominance. STEM (Science, Technology, Engineering and Math) studies are needed to have educated work force.  R&D spending drives innovation. This ties in with his thoughts on a public/private partnership – pushing STEM + R&D needs to be done at academic, private and public levels, and must be concerted efforts.

You may also like -

Invincea Named Most Innovative Company of RSA 2011US cyber chief says cloud computing can manage serious cyber threatsCrucialPointLLCCyber attacks are becoming lethal, warns US cyber commanderCrucialPointLLC

If you are an enterprise CTO I’m hoping you already have the site of the US Computer Emergency Readiness Team (CERT) bookmarked.  It it has been a while since you have seen their site please check it out at http://www.us-cert.gov They provide important resources for any enterprise technologist, not just security professionals.

Organizationally they have a team of strong cyber players that have been honing their craft for years.  The US CERT serves a significant mission– they are there to strengthen the defense of the Federal government’s networks, especially those in the civil executive branch (the “.gov” of the Internet).  In executing that mission they help many others and are a critically important part of our nation’s defensive fabric.   The US CERT is run by the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS).

Today the US CERT opened its new operations center.  Their facility is called the National Cybersecurity and Communications Integration Center (NCCIC).  It is a “Unified Operations Center” designed to enable the co-location of other key components of the NCSD and DHS, including the National Coordinating Center for Telecommunications (NCC), the National Cyber Security Center (NCSC), and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).  This new operations center also hosts liaison officers from many other related watch centers which will make it a key information clearing house and a critically important capability for the nation.

I was allowed into the combined watch floor today and was excited to see the tremendous visualizations analysts and watchstanders will be able to leverage as they seek enhanced situational awareness.   Even though all the organizations in this room have different “chains of command” they all share common needs for fast, accurate information and their ability to dialog over visualizations will enhance their ability to jointly figure out what is going on.

On a personal note:  I am very optimistic about this new unified operations center and its ability to make a positive impact– and– although I have seen and believe in the technology they are using, the real reason I’m so positive is the quality of leaders involved.  I’m upbeat because of the folks I know who are driving the right actions.   They include Phil Reitinger , a savvy professional and executive with understanding of the law and technology and mission, RADM Mike Brown, one of of our nation’s greatest military leaders and a key driver of our nation’s cyber posture for over a decade, and a past associate from DIA who had been responsible for ensuring the DoD’s JWICS network survived and thrived and continually enhanced support to the DoD mission.   These folks have many hard tasks ahead and their work is by no means complete but they are some of the best the nation has and deserve our collective support.

You may also like -

CTO Perspectives on Cyber Security BillCongrats To Sony Corp! This is a very good moveGovSec conference is March 29-31 2011FedCyber.com Cybersecurity Summit on Wednesday, September 28SINET Showcase 27 October 2010Evolving Approaches to Cyber ThreatsBob GourleyDebrief from The White House Forum on IT Management ReformCTOvision.comDHS CIO discusses 12 Cloud ServicesCrucialPointLLCEnhance your security postureCTOvision.comSpecial Summary: Enterprise security storiesBob Gourley

Technologists of all sort have been closely tracking events associated with cyber security, and most have been watching the many activities associated with White House efforts to enhance our ability to trust our digital infrastructure.

In my view, technologists from academia, startups, IT providers, integrators and large enterprises (including the federal space) need to understand that security and functionality are not two different concepts. They are the same concept. You don’t get functionality without security. And security without functionality is not security, its stupid.

As you continue your focus on security and functionality I’d like to encourage you to keep tracking the thoughts and actions of Melissa Hathaway, acting senior director for cyberspace for the National and Economic Security Councils. If you read the results of the 60 day review she and her team did, then you have a terrific foundation of key issues and you will know a framework for further action. But Melissa is now moving out on action plans and you involvement in them can make a significant positive difference.

My recommendation on how technologists can help:

a) In my opinion, technologists are the only ones who can really understand how the many standards bodies operate and we are the only ones who can exert positive influence over them (since the most important standards bodies, like the IETF, are collegial, collaborative bodies where well articulated ideas are the ticket to entry). So, advice you can give to federal leaders on standards and influence you can have in the standards world are important contributions you can make. (see: http://ctovision.com/2008/05/standards-organizations-ctos-should-track )

b) As Melissa and others move out, it will be important that we stay in tune with what is going on.  In this current environment of transparency and openness this is actually very easy to do.  In fact, one easy way is to take a little time and watch the clip of Melissa Hathaway from her presentation at the Symantec Federal Summit of 16 June 2009 . Please check it out here: Melissa Hathaway Clip. Listen for her views on the need for action plans and listen for her intent to move out. And listen for her clear articulation of what is different now. Some major things have changed in the cyber world.

After watching the clip I think you will see why it is so important that technologists think of security and functionality in the same breath.  Our nation’s leaders are now thinking of national security and economic security in the same breath.  That is totally analogous. You don’t get national security without economic security.  And you don’t get IT functionality without IT security, in my opinion.

You may also like -

Enterprise Technology Developments in 2010 and 2011The most well thought out research agenda for cyber security I have seen to dateSurvey says: Security risks never higher, or more costlyOpinion: The most needed innovations in IT are in the security domainMature Models for Healthy and Resilient Cyber SystemsIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLCGourley Discusses Big Data Security With IDGCrucialPointLLCFedCyber.com Cybersecurity Summit on Wednesday, September 28CTOvision.comBig Data and the Enterprise CIOCrucialPointLLCDebrief from The White House Forum on IT Management ReformCTOvision.com

I enjoyed listening to the President today as he provided an update on where we are in our efforts to enhance our freedom of action in cyberspace.  All the details are on the White House website and I hope you visit there yourself to download the 60-day cyberspace policy review. Details are here: http://www.whitehouse.gov/CyberReview/

I have been reading the report already– and will also read all the papers and studies referenced there.

So far I have three comments:

1) I really enjoyed hearing the President reference Melissa Hathaway.  She has done an incredible job and to hear him praise her was music to my ears.  Melissa deserves the thanks of the nation.

2) A great deal of work remains to be done. The policy review provides a framework for action and guidance that will help prioritize activities, but don’t expect instant miracles.

3) Number one on the list of near term actions is to appoint a cybersecurity policy official. The President did not do that today.  That will be done in due time.  I should also point out that no one in government is using the term “Cyber Czar” for this position.  That term Czar is used by all the reporters and all the pundits.  It sounds cool.  It also brings lots of baggage.  The typical “Czar” in DC is a powerless position that has little or no effect.

To underscore that point I’d like to close with a little self-plagerization.  A reprint of a blog post I first wrote in January 2009 titled “We have a cyber czar, and he has spoken.“  In the post, now below, I try to make the point that if Putin can accomplish his objectives in our networks then he is our cyber czar.  I also hope to make the point that we should not be happy with him being in this position.

We Have A Cyber Czar, and He Has Spoken

A debate has been running for months both among government thought leaders and the technical literati on whether or not the US should appoint a “Cyber Czar” who can exert authority over IT security in the federal space or perhaps even aspects of the nation’s IT defenses.  This is a complex discussion that has had some of the greatest thinkers in and out of government involved.   A great snapshot of issues and the opinions of many well reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency“   and other thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .

Unfortunately for those who would like to still debate and discuss this issue, there is already a Cyber Czar who can accomplish most all his objectives in our networks.  His name is Russian Prime Minister Vladimir Putin.  This former KGB operative now controls Russia with an iron fist and has shown others again and again he will exert influence anywhere he needs to in order to accomplish his objectives.  He will use tanks when required and cyber when desired and combinations when it suits him.  There are indications his agents are also in our networks now.  If our objectives are to keep players like him out, we cannot say we are accomplishing them.  If his objectives are to get in, then we can say he is accomplishing them.  Till this situation changes, we need to confront then this new reality:  Vladimir Putin is the Cyber Czar.

We have our own great technologists and wizards of cyber, of course. And we have great hero entrepreneurs of technology who have built the cyber world we all use today.  One of those greats is Michael Dell, creator of an idea and corporation that develops, manufactures, sells and distributes personal computers we all depend on.

But he is someone who will now think twice before thinking he can interact as a peer to Cyber Czar Putin.  After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell praised Russia’s technical and scientific prowess and asked a nice, friendly question:  “How can we help.”  As a former govie CTO I would get asked that type of question all the time from industry and really appreciated it whenever a senior thought leader would ask that.  But not Czar Putin.  He did not appreciate that at all.   Putin was offended by the assertion that the mighty Russia might need help in anything Cyber. The exchange is captured here on YouTube:

Fortune: described the exchange this way:

“Putin’s withering reply to Dell: “We don’t need help. We are not invalids. We don’t have limited mental capacity.” The slapdown took many of the people in the audience by surprise. Putin then went on to outline some of the steps the Russian government has taken to wire up the country, including remote villages in Siberia. And, in a final dig at Dell, he talked about how Russian scientists were rightly respected not for their hardware, but for their software. The implication: Any old fool can build a PC outfit.”

Clearly cyber domination is personal with Putin.  He is the Cyber Czar.

I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT:  Please don’t be pleased with this current situation.  Please don’t just think the title of Cyber Czar I’ve now used to describe Putin is something we should be proud of.  It is not.  We should continue to act till we are able to assert that we are masters of our own networks.  Our nation’s intellectual property, including the intellectual property of all our companies and citizens, is too important to let it be given away without at least a cyber fight.

You may also like -

Interested in Cyber Security? Read (and support) the new Cybersecurity Legisl ...FedCyber.com Cybersecurity Summit on Wednesday, September 28Deputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveCTO Perspectives on Cyber Security BillCalling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...The U.S. International Strategy for CyberspaceCTOvision.comIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLCJTF-CND to JTF-CNO to JTF-GNO to CybercomCTOvision.comThe FedCyber.com Cyber Security SummitCTOvision.comCyber Conflict Studies Association History ContestBob Gourley

Last week at the InfowarCon my friend Dan Kuehl handed me a copy of Cyberpower and National Security.  Cyberwar has been a topic Dan has been exploring in some detail for quite a while.  I first met Dan in 1996 when I was a student at the USMC Command and Staff College, and at that time Dan was already writing and exploring concepts related to cyber power and information warfare.  His deep focus and insights into this still emerging mission area continues today.

[amtap amazon:asin=1597974234]

About the book, it is big. Not just in pages (it weighs in at 642 pages). It is big in info. Chapters are written by some of the greatest thinkers of the Cyber War mission area. Folks like Dan Kuehl, Edward Skoudis, Greg Rattray, Martin Libicki, Irving Lachow, Tim Thomas, Tom Wingfield and of course the editors Franklin Kramer, Stuart Starr and Larry Wentz. These and the other contributors are all well respected thought leaders and each provide insights I believe will be of use to today’s strategic planners.

As for the content, it starts with a great foundation and overview of what is meant by Cyberspace (building on Dan Kuelh’s well articulated definition) and also spells out key issues that policy makers and national security strategists must tackle. It then analyzes and explores changes in cyberspace including projections into the near future, and ends with an analysis of the impact of all these changes- including the considerations we must think through in our strategic deliberations.

I now consider this book a critical foundational work that should be studied by anyone who seeks to dialog on modern national security issues.  This book does for the strategic domain what the Common Audit Guidelines did for the operational cyber domain.

I know NDU will continue to examine these topics, and look forward to more material from them.  I also look forward to continuing to enage with others in academia via the Cyber Conflict Studies Association, a group that includes many of the authors of this Cyberpower and National Security work.

You may also like -

Congrats To Sony Corp! This is a very good moveA look at GSA's Managed Trusted Internet Protocol ServicePrediction: BlueCat Networks is one you should watchSave the date: Geoint will be 16-19 Oct 2011FedCyber Webinar: The Security Development LifecycleFISMA Mandates Monthly Security Reports For AgenciesCrucialPointLLCDHS Outlines New Monthly FISMA Compliance RequirementsCrucialPointLLCDHS’s National Cyber Security Division and Idaho National Laboratory win cybe ...CrucialPointLLCFedRAMP includes 168 security controlsCrucialPointLLCInteragency group looks to common cyber security language, skillsCrucialPointLLC

The Wall Street Journal just ran an article titled:  “New Military Command to Focus on Cybersecurity.”   In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.

WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.

My opinion:  This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”

The WSJ article is in consonance with what is going on and what should be going on.  I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required).  And all players need to work well with industry and allies in a coordinated, fast moving way.

What does this mean for enterprise technologists?  For the most part it is good news.  But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now.   And the current body of best practices remains in place.  You still need to understand and implement and follow the Common Audit Guidelines, for example.  Doing that is going to help you and will help others too.

You may also like -

GovSec conference is March 29-31 2011Pros and Cons: Cyber CommandIntelligence Community Executive Forum on Cyber OperationsDefense bill passes after lengthy debateCrucialPointLLCCybersecurity Workforce FrameworkCrucialPointLLCPentagon CIO’s Tech Revamp: 4 PrioritiesCrucialPointLLCLeadership changes in DoD IT, logistics, cyberCrucialPointLLCHomeland Security Committee Unveils Cybersecurity BillBob Gourley

Followers of the cyber initiative and its related work have been strongly encouraged by the kickoff of a 60 day study tasked by the White House and led by Melissa Hathaway.  Melissa was named by President Obama to conduct this review.   As has been reported here in previous posts Melissa is one of the most effective, efficient senior executives in public service, and I have no doubt she will execute this task in a way that benefits the nation.

As an update, the White House blog posted an entry on this study today.  It reads as follows:

White House Blog
Monday, March 2nd, 2009 at 11:14 am
Cyber review underway

John Brennan, Assistant to the President for Homeland Security and Counterterrorism, passed along this update about the ongoing review of our nation’s communications and information infrastructure.

In response to President Obama’s direction, the National Security Council and Homeland Security Council are presently conducting a 60-day review of the plans, programs, and activities underway throughout the government that address our communications and information infrastructure (i.e., cyberspace). The purpose of the review is to develop a strategic framework to ensure that our initiatives in this area are appropriately integrated, resourced and coordinated both within the Executive Branch and with Congress and the private sector.

Our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated. Safeguarding these important interests will require balanced decision making that integrates and harmonizes our national and economic security objectives with enduring respect for the rule of law. Guided by this principle, the review will build upon existing policies and structures to formulate a new vision for a national public-private partnership and an action plan to:
enhance economic prosperity and facilitate market leadership for the U.S. information and communications industry; deter, prevent, detect, defend against, respond to, and remediate disruptions and damage to U.S. communications and information infrastructure; ensure U.S. capabilities to operate in cyberspace in support of national goals; and safeguard the privacy rights and civil liberties of our citizens.

The review will be completed by the end of April 2009. At that time, the review team will present its recommendations to the President regarding an optimal White House organizational construct to address issues related to U.S. and global information and communications infrastructure and capabilities. The recommendations also will include an action plan on identifying and prioritizing further work in this area.

Learn more about the administration’s Homeland Security priorities.

UNQUOTE

The fact of this White House blog entry is a huge signal that something has changed.  Openness on this topic was unthinkable just months ago.  We have also seen more direct work with industry groups on cyber, another positive step.

There is a great deal of work to be done in a very short amount of time.  What ever the result of this review is I’m sure it will be first rate and I’m ready to support it fully.  It is not often that I endorse something before it is done, but in this case I think it is the right thing to do.   There are too many bad things happening because of poor security, and too much of the economy is hurting because of it.

You may also like -

CTO Perspectives on Cyber Security BillFedCyber.com Cybersecurity Summit on Wednesday, September 28Interested in Cyber Security? Read (and support) the new Cybersecurity Legisl ...Debrief from The White House Forum on IT Management ReformThe U.S. International Strategy for CyberspaceDeputy cyber coordinator leaving the White HouseCrucialPointLLCWhite House grading agency cyber progressCrucialPointLLCTurnover in DHS cyber office continues, Nicole Dean leavingBob GourleyFurthering the Field: A Comprehensive Program for Cyber Conflict StudiesDevost.NetDept. of Energy developing project to reinforce grid cybersecurityCrucialPointLLC