Note to Washington: You Own the Information Security Communications Gap

I’m just back from participating in the Symantec Government Symposium held yesterday in Washington DC. The event was extremely informative with keynote presentations by Cybercoordinator Howard Schmidt, and Director of Plans and Policies for the U.S. Cyber Command, Major General Suzanne M. Vautrinot. For my part, I sat on a cyber supply chain security panel with folks from DOD, DHS, and HHS.On the plus side, the feds have a lot of good work going. There is a lot of government brainpower focused on scoping problems, evaluating funding priorities, changing cultural barriers, and defining security solutions. Kudos are well deserved.With all of this effort however, it is time to discuss a fundamental problem between the public and private sector — communications. The Feds have a language all of their own, chock full of agency-specific acronyms and a military flavor. Information security is called cybersecurity and there are lots of references to missions, objectives, command-and-control, etc. The word “assurance” is used constantly: software assurance, information assurance, cyber supply chain assurance, and so on. This is just the tip of the federal language iceberg.In his famous May 2009 cybersecurity speech, the President proclaimed that: 1) Cybersecurity would be a top priority in his administration, 2) That 80% of the critical infrastructure is controlled by the private sector, and 3) That we needed a stronger public/private partnership. For these things to happen, the federal government must realize that they need to drop the inside-the-Beltway lingo and speak to the rest of us in common language. We don’t care which agency owns which initiative with acronym ABC. We don’t speak to each other about missions and battlefields and assurance. Many experienced IT and security professionals have no idea what NIST is or what it is doing. Like it, understand it or not, this is the truth. The information security challenges we face are real and could be extremely damaging to the country, economy, way of life, and confidence in the government. We NEED the feds to step up but we shouldn’t have to learn a new language or culture to make this happen. I already see the influence of this communications gap as most of the private sector has no clue about all the work going on in Washington — this is wasteful and a shame.In his new book, Cyberwar, Richard Clarke does a great job of translating Washingtonese to common language. Good effort by Clarke but the fact that he had to do this should be a red flag for all of us. If we can’t understand each other, we are doomed from the start.