New U.S. Government Cybersecurity Position

From InfoWorld:

The Department of Homeland Security Cybersecurity Enhancement Act, approved by the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, would create the position of assistant secretary for cybersecurity at DHS. The bill, sponsored by Representatives Mac Thornberry, a Texas Republican, and Zoe Lofgren, a California Democrat, would also make the assistant secretary responsible for establishing a national cybersecurity threat reduction program and a national cybersecurity training program....

The top cybersecurity official at DHS has been the director of the agency's National Cyber Security Division, a lower-level position, and technology trade groups for several months have been calling for a higher-level position that could make cybersecurity a higher priority at DHS.

Sadly, this isn't going to amount to anything. Yes, it's good to have a higher-level official in charge of cybersecurity. But responsibility without authority doesn't work. A bigger bully pulpit isn't going to help without a coherent plan behind it, and we have none.

The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government's enormous purchasing power and demand more secure hardware and software.

Here's the text of the act, if anyone cares.

Posted on May 6, 2005 at 8:05 AM • 11 Comments

Comments

Israel TorresMay 6, 2005 9:57 AM

The traditional way of creating large slow moving organizations is certainly not the way to go in a cyber-world while electroncs zip by faster than thought.

Israel Torres

Clive RobinsonMay 6, 2005 10:20 AM

Sounds like an excuse for Texas Uni to collect another 300 Million in pork...

AnonymousMay 6, 2005 10:21 AM

(quote) "The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government's enormous purchasing power and demand more secure hardware and software."

If done sensibly, that would help. But it seems to me more likely than not that it would result in mandatory compliance with FIPS-like standards and tests, which have little to do with actual application security, and cannot possibly be engaged in by small players.

For example, we are a small closed source software company; we pay much attention to security, and our results so far have been good; but we don't by far have resources to have our software FIPS tested, as the costs of that exceed hundreds of thousands of dollars per release.

I have doubts that our company could hold on to its spot and continue to produce the quality software I hope to believe it does if arbitrary bureaucratic rules with mandatory, insensible and hugely expensive compliance were in place.

Zimbel42May 6, 2005 1:41 PM

Even a history of software companies with track records of poor security would help (and warning off government purchases of such products). It wouldn't be perfect, but it would have less of a negative impact towards small companies simply because they're small than FIPS standards.

David MohringMay 7, 2005 8:15 AM

Bruce, what do you expect them to do? Is it possible to begin to define a set of objectives, goals and concrete actions?

For example:

1) Set up baseline expectations for all aspects of computer security, including the handling by software of Internet/network transmittable data and documents.
http://groups.google.com/groups?...

2) Move to virtualized sandboxed environments and audit-able build environments. Including provision from third party Trusted Build Agents.
http://itheresies.blogspot.com/...

3) Because security mechanisms are fallible, provide secured secondary channel notification mechanisms. It only needs a small percentage of people to opt in to such schemes for the systems to act as an effective honeypot system, detecting possible fraudulent access.
http://itheresies.blogspot.com/...

MatthewMay 7, 2005 8:00 PM

How 'bout pushing for some power for customers who buy security-defective software to get some portion of their purchase price back.

Zimbel42May 9, 2005 10:37 AM

I actually think that the process by which a company creates secure products is more useful (and a better regulation target) than the individual products. Basically, I view (software) security as more of a portion of a development process than a feature of a product.

Carol StimmelMay 9, 2005 2:33 PM

In a town full of bully pulpits, it does seem true that little can be accomplished by adding one more. However, the creative powerless *can* make a difference. In this case, by pushing for security governance (just as many commenters are suggesting in discrete ways). Not to make even a tiny move towards the cyberczar we'd all like to see seems foolish.

Israel TorresMay 10, 2005 8:27 AM

"Imitation is said to be the sincerest form of flattery.

glad to see I have a fan club... I'm rubber and you're glue ...

Israel Torres"

I am not entirely clear as to what your motives are. Surely you can find better things to do. Apparently bruce doesn't mind users posting as other users, otherwise he'd put a stop to it.

Israel Torres

KatrinOctober 27, 2012 2:06 PM

Howdy are using Wordpress for your site platform? I'm new to the blog world but I'm trying to get started and set up my own.

Do you need any html coding knowledge to make your own blog?
Any help would be really appreciated!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..