This morning, US President Barack Obama unveiled the outlines of a change in direction for US cyber-security policy. The first announcement relates to the creation of a new military command that will centralize and expand on existing cyber-war-fighting capabilities. This is overdue, and should bring more coherence to efforts that were already spread out between several different military branches, notably the Army, Navy and Air Force), and the intelligence services. The NSA, for example, has long had a \u201cred-team\u201d offensive capability in addition to defensive corps. As I understand it, the new military cyber-command will reside in the Department of Defense. Less clear is whether the new organization will just be a military operation, or whether it will also take over parts of the intelligence services\u2019\u00a0capabilities.The second part of today's announcements, the Cyberspace Policy Review, seeks to reform the way the US Government secures itself, its agencies and critical infrastructure like the stock exchanges. As reported in a story in the New York Times, the reforms will create a new office residing in the White House that will report to both the National Economic Council and the National Security Council. The remainder of this blog post analyzes what the plan, which was unveiled at 11 today, recommends.Where We Came FromBut first, a little background. Most security-watchers know that the last big attempt to improve government security was FISMA, the Federal Information Security Management Act. The Act codified an approach to protecting government systems. It required all federal agencies to assess the risk of their information systems, implement minimum baseline security controls as defined by NIST, and most critically, certify and accredit that each agencies'\u00a0systems had in fact implemented the required security controls. The tangible outcome of the process was a related \u201cscorecard\u201d\u00a0exercise undertaken by the House Oversight and Government Reform Committee. The idea was to give letter grades (A through F) to each agency.In theory, this sounds like a good idea. In practice, it did little to improve security. The evidence is everywhere. We've all read the reports in the news about perfidious Chinese hackers, opportunist Ruskies and the like snooping around federal systems and systematically looting them of all their treasures. The picture painted in the press is of a government whose variously-accredited and certified systems are nonetheless wide-open to hackers. While it's hard for most people to get a real sense of the scope of the problem from the papers, people I've spoken to who do government contract work for a living tell me that the stories we've seen are just the tip of the iceberg. And on a personal note, I can tell you that in my past I've helped investigate an incident involving an attack on a military weapons program by foreign attackers. So the dangers seem clear and present to me.What\u2019s Wrong with the Current Approach?So, what's wrong with FISMA, and does this review address? In my view, FISMA serves a useful function because it defines how the risk assessment, control selection and audit processes are supposed to work at a federal level. This is a good, but it is important to remember that FISMA is mostly about compliance with a security program and its processes, and not about the effectiveness of the security itself. Practically speaking, what FISMA and the annual House scorecarding ritual did was: Create incentives to\u00a0\u201cfinish the audit\u201d\u00a0rather than make systems more secure Force answers to the wrong question:\u00a0\u201care you accredited\u201d\u00a0rather than\u00a0\u201chow secure are you?\u201d Conflate compliance with security Create a strange new vocabulary out of step with the private sector. (Ask Goldman Sachs or Bank of America about the importance of their\u00a0\u201caccredited systems\u201d\u00a0and they will look at you like you have two heads) Focus on inputs (controls) rather than outputs (KPIs and attacks) Divert vast amounts of cash to auditors and other\u00a0\u201cprocess\u201d-focused Beltway Bandits And beyond FISMA, the current approach did not: Effectively share attack and intrusion data with the private sector Coordinate the federal agencies with shared responsibilities for security: Homeland Security, Defense, Justice, Energy, Treasury and others Consolidate responsibilities for cyber-defense and responding to attacks What the Review RecommendsThe review recommends the following 10 actions, which I have reprinted and lightly edited: Appoint a cybersecurity official responsible for coordinating the Nation\u2019s policies and activities with dual reporting to the National Security Council and National Economic Council. The new policy chief would establish a new NSC directorate to coordinate interagency strategy and policy Prepare an updated national strategy to secure the information and communications infrastructure Designate cybersecurity as one of the President\u2019s key management priorities and establish performance metrics Designate a privacy and civil liberties official to the NSC cybersecurity directorate Identify legal issues and recommend policies that would clarify roles, responsibilities, and the agency authorities needed to coordinate cybersecurity-related activities across the Federal government Initiate a national public awareness and education campaign to promote cybersecurity Develop U.S. Government positions for an international cybersecurity policy framework and strengthen international partnerships in this area Prepare a cybersecurity incident response plan; enhance public-private partnerships to streamline, align, and provide resources to increase their\u00a0contributions and engagement Conduct R&D on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation. What the Review Gets Right Correctly identifies that there are too many barriers for inter-governmental collaboration, and with the private sector. Some of these barriers are organizational, and others are legal. For example, under what legal authority could the government acquire attack data from a privately held stock exchange? Another example: do liability (discovery) fears prevent the private sector from sharing data? Aligning the legal r\u00e9gime with simple common sense would be terrific. Focuses on intrusion detection and response (outcomes) rather than the checklists (inputs). I noticed, for example, that the words \u201caccreditation\u201d and \u201ccertification\u201d appear nowhere in the document, while \u201cintrusion\u201d appears 14 times. Earmarks R&D dollars to find and develop new security technologies. This is too important to be left solely to the private sector. Calls out preservation of civil liberties as an explicit goal, with participation from the private sector and what the review calls the\u00a0\u201cprivacy community,\u201d\u00a0which I can only imagine means organizations like the EFF, EPIC, and the Ponemon Institute. This is the sort of language that we would never have seen in, for example, a plan authored by the President's predecessor. Where It Misses Opportunities Places too much faith in\u00a0\u201cconsumer education\u201d\u00a0around topics like fraud and identity theft. Consumers know very well that the internet is a dangerous place, full of predators and identity thieves. The government should instead be asking, why is the information consumers have on their PCs so valuable? And what can the government do to move authentication beyond the broken password paradigm most users follow today? Too timid with respect to identity management. True, the report mentions expanding the HSPD-12 federal credentialing and authentication programs across the government, which is good. And it does recommend the US government\u00a0\u201cdevelop policies that\u00a0encourage the development of a global, trusted eco-system that protects privacy rights and civil liberties.\u201d\u00a0That is great, but the report could have gone further and recommended the US do what many European countries have already done: make the government a\u00a0\u201ctrust anchor\u201d\u00a0as the source for national digital identities. Misses an opportunity to mobilize action on existing critical infrastructure, notably SCADA (energy) and transportation, particularly the air-traffic control system. These areas are only hinted at in the review, and these few mentions lack a high degree of urgency. Overall, there is more to like about the Cyberspace Policy Review than dislike. It correctly shifts the emphasis from process to outcomes, and makes pragmatic recommendations on how to remove barriers to getting things done. This is all good.What it Means for the Private SectorFor Forrester customers in the commercial and private sectors, the Cyberspace Policy Review will not mean much in the very short term. The document merely recommends changes to the direction of future US policies. We are a long way off from seeing legislation that would obligate enterprises to do anything differently than they are doing today. However, over the medium term the recommendations will inform policy decisions lawmakers must make. As a result, I expect the private sector can expect: Increased focus on sharing security incident data with sector ISACs and with the government \u2014on a voluntary basis, at first Increased government involvement in setting direction for identity management\u00a0\u2014\u00a0probably stopping just short of a national digital identity initiative Gradual removal of anti-trust and discovey\/liability disincentives to share security information Much stronger focus on incident response and penetration testing, both at the federal level an as a recommended industry\u00a0\u201cbest practice\u201d Overall, the document signals quite clearly that our previous approaches were not working. One might say that Hope\u00a0\u2014\u00a0something President Obama campaigned on\u00a0\u2014 will not be sufficient when to comes to cyber-security. Ironic, no?I'd recommend you read the Cyberspace Policy Review yourself to draw your own conclusions. It is about 75 pages, and not a difficult read. As always, I value your comments and e-mails.