Former PA CISO: National cybersecurity bill won't work
The Lieberman, Collins, Carper cybersecurity bill would do nothing but slow down real progress and undercut Howard Schmidt's authority, former State of Pennsylvania CISO Robert Maley warns.
By Robert Maley
July 29, 2010 — CSO —
It has been four months since moving from public service as CISO for the Commonwealth of PA into the private sector as a consultant. The thing about cybersecurity is that, although the private sector is just as important as the public, it seems that the government has been dominating the news and direction of cyber protection.
The recent introduction of the Lieberman, Collins, Carper cybersecurity bill is a prime example.
It is a complex matter, to say the least, and I have no confidence that the bill will actually make our critical infrastructure more secure.
As Tom Burghardt says in Through the Wormhole: The Secret State's Mad Scheme to Control the Internet, "Fueling administration moves to "beef up," i.e. tighten state controls over the free flow of information is cash, lots of it. The Washington Post reported June 22 that "Cybersecurity, fast becoming Washington's growth industry of choice, appears to be in line for a multibillion-dollar injection of federal research dollars, according to a senior intelligence official."
In the Lieberman, Collins, Carper letter to Cisco, Oracle and IBM, a public/private partnership is mentioned, which on its face is a good thing. The private sector is motivated to enhance security and reduce risk because it affects the bottom line of the company. The bill talks about securing the supply chain through a risk management strategy, which I think is overdue. When a government entity acquires a product or system that eventually fails, who is really to blame? The company that met all the requirements of a low-bid contract, or the entity that failed to include specific security deliverables in the request for bids?
The bill also calls for the creation of a national center for cybersecurity and communications and an office for cyber policy.
Last December, Howard Schmidt was appointed the President's cybersecurity coordinator. I thought that position was to lead the administration's cyber strategy, so I am not sure that the addition of new government agencies and bureaucracy would improve things.
In a March Wired.com interview, Schmidt said that "There is no cyber war. I think that is a terrible metaphor and I think that is a terrible concept." He went on to say that "the government needs to focus its cybersecurity efforts to fight online crime and espionage." (He made a similar statement in the CSO story Howard Schmidt: Cybersecurity battle 'different' this time.
The Lieberman letter claims the bill will give that position the authority to be the lead in many of the bill's requirements, which would be a good thing. But how new government overhead would make things more secure escapes me.
Howard Schmidt
- Risk-driven Compliance and Security Management
- Simplifying Risk Management: Is Your Company Measuring Up?
- Smart Techniques for Application Security
- The Business Case for Data Protection
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Utility Mandate: Software Security for the Smart Grid
- Take the Cost, Complexity and Frustration Out of Two-factor Authorization
- Security Protection via the Cloud
- Pillars of Enterprise Protection: Protecting the Infrastructure
- Midmarket Insights from the Global CEO Study
- The New Voice of the CIO - Implications for IT Managers
- Five Critical Success Factors in Overcoming Workforce Disruptions
