The latest in what seems to be an endless string of reports that take a stab at solving the nation's cybersecurity failures says more effective coordination, metrics, policies, and training is needed across markets. This seems to be a lesson everyone except government grasps.
A lot of valuable material is included in the report, which was put together by the Institute for Information Infrastructure Protection, a consortium founded through a federal grant to coordinate and support research and development in cybersecurity.
Perhaps the most significant recommendation is this: Cybersecurity efforts need to be more universal, to ensure regulations in one sector don't conflict with another. The report doesn't use those words, but that's one of the fundamental take aways for the Senate Homeland Security and Governmental Affairs Committee, which released the report today.
We've heard this before. Corporations, financial institutions, and federal agencies - here and across the globe -- have to follow the same or similar rules, with specific metrics and policies driving all cybersecurity efforts. Disjointed efforts across industries practically negate progress being made, because a vulnerability in one computer system or network will almost spread and manage to infiltrate other networks. The report also notes the importance of a cross-market strategy for addressing the vulnerabilities of the control systems that link to the nation's critical infrastructure - including utilities and transportation systems. Who controls those? Industry, government and even think tanks all contribute to their regulations, but no one seems to have ultimate authority. That's been proven.
The issue is one of strategy. Often in the same breath as noting that private sector controls on average 85 percent of America's infrastructure, DHS officials will say that the federal cybersecurity plan is to "first get its own house in order." Fair enough - no agency can lead when its own mess is bigger than anyone else's. But this report - along with others that have been released in the last year - understands the need for a unilateral approach to combating threats.
Tunnel vision doesn't work, and has already proven counter productive.
COMMENTS
Cyber Security and critical infrastructure protection cannot succeed in the absence of International Cooperation. As mentioned at (http://reclaiming-india.blogspot.com/2009/01/critical-infrastructure-protection-in.html) CIP requires good policies and strategies. It also requires a good legal and regulatory framework (http://legalenablementofictinindia.blogspot.com/).
Baljeet 02/21/09 05:25 am ET
ODNI is attempting this single control concept, but is only restating the same control set from the NIST SP 800-53 and relabeling the process IC 1253.
In order to determine a single control set an organization needs to identify the Subject Matter Ares and associated controls. DISA started the process as the Security Technical Implementation Guides (STIG) but dropped the ball by not identifying the SMA with subsequent selection of similar SMAs from other regulations to round out the process. this process gets complicated as the Domino process assumes command as one document will lead to several to several more document until you reach a point of wondering where you started.
Robet Edwards 02/19/09 12:09 pm ET
It doesn't matter what plan the DHS comes up with. Cyber security will not improve in the federal government until there are consequences for failure. For most government "leaders", cyber security is nothing more than an occasional report. It isn't important. The day cyber security audits affect executive performance reviews, is the day we'll see the start of a secure government.
WS 02/19/09 08:33 am ET