CSIS's Cybersecurity Agenda

The Center for Strategic and International Studies (CSIS) published "From Awareness to Action: A Cybersecurity Agenda for the 45th President" (press release here). There's a lot I agree with -- and some things I don't -- but these paragraphs struck me as particularly insightful:

The Obama administration made significant progress but suffered from two conceptual problems in its cybersecurity efforts. The first was a belief that the private sector would spontaneously generate the solutions needed for cybersecurity and minimize the need for government action. The obvious counter to this is that our problems haven't been solved. There is no technological solution to the problem of cybersecurity, at least any time soon, so turning to technologists was unproductive. The larger national debate over the role of government made it difficult to balance public and private-sector responsibility and created a sense of hesitancy, even timidity, in executive branch actions.

The second was a misunderstanding of how the federal government works. All White Houses tend to float above the bureaucracy, but this one compounded the problem with its desire to bring high-profile business executives into government. These efforts ran counter to what is needed to manage a complex bureaucracy where greatly differing rules, relationships, and procedures determine the success of any initiative. Unlike the private sector, government decisionmaking is more collective, shaped by external pressures both bureaucratic and political, and rife with assorted strictures on resources and personnel.

Posted on February 10, 2017 at 12:01 PM • 10 Comments

Comments

George H.H. MitchellFebruary 10, 2017 12:31 PM

Unlike the private sector, government decision making is more collective, shaped by external pressures both bureaucratic and political, and rife with assorted strictures on resources and personnel.
I don't think the 45th President understands this any better than the 44th one did.

Clive RobinsonFebruary 10, 2017 1:06 PM

@ Bruce,

With regards to the section you have pulled out. This had a rather more obvious flaw,

    The first was a belief that the private sector would spontaneously generate the solutions needed for cybersecurity and minimize the need for government action.

The private sectors business models were and still are entirely the wrong way around for even the remotest chance of that happening.

I don't know what was happening in those cosy little fireside chats Obama had with Silicon Valley seniors but as far as Cybersecurity was concerned nothing favourable happened.

With hindsight the FBI's Comey, kind of blew the gaff on those, when he effectively blackmailed Obama...

The simple fact is there is no money in making Cyber Secure products, history has taught us this over and over. Quick dirty with lots of bells and whistles was what sold.

This has got worse for other reasons, after all OSs, Browsers and other applications are not seen as "needing" More than lip service to Cyber Security. After all why bother when you can have a nice secondary market very profitably flogging extra --alomost faux-- security products like AV solutions, Intrusion Detection Systems and the instrumentation hardware etc.

Then of course, there are all those "money for old rope" security courses and certification...

Why destroy a nice little eco system of profit, when you don't need to?

I know it sounds cynical but, hey just follow the money.

RhysFebruary 10, 2017 1:22 PM

You have to buy into their fact base, and then buy into their logic.

What the internet was originally sponsored and built to do, and what it is now being subsumed into are very different things.

Why shouldn't disruptive technology not be subject to disruption?

Forget the "lamentations". Form follows function. Cyber insecurity (or lack of integrity & assurance) reflects what has been allowed, not just by omission, to grow.

Even if someone had a masterplan for the private sector to address that growing divide- what has emerged is more like legacy Viking culture. And culture (at least in USA) was once about consensus. Not industrial efficiency in service of selective owners of capital, freebooters, and foreign governments coopting what was a US public asset.

The ambivalence only leads to more equivocations, entrenchment, and paralysis.

The 'bureaucracy' that is designed to administer policy has been used as a sacrificial element for technophobic and ill prepared legislators. Bureaucracies aren't (save in Napoleonic style governments) to sponsor or create policy. That is what once separated appointed from elected officials.

So- like 16th Century Britain, we have- by omission, allowed privateers to forage freely and now we want to reign them in. They still contribute $ too much from their activities to be just swept away. And the public won't permit legitimization such as the Hudson Bay Company.

There's plenty of technology now, and more on the way. Without a clear charter- defacto East India Companies will just war until there is another awakening of that futility.

CDR J H BOOTHFebruary 10, 2017 1:23 PM

"Unlike the private sector, government decision making is more collective, shaped by external pressures both bureaucratic and political, and rife with assorted strictures on resources and personnel."

As someone whose worked for the federal government both in and out of military for over 35 years, the quote in the article is spot on. The federal bureaucracy is the fourth and strongest branch of the government and is currently not subject to the checks and balances that the US Constitution forces upon the other branches. In effect, the fourth branch of government, the bureaucracy, can "slow roll" any administration, anyone in congress and just plainly ignore the judiciary. After all, in four years, everything changes anyway. Until politicians, the gutless wonders that most are, stop worrying about re-elected and instead stand up to and disassemble the federal bureaucracy nothing, and I mean absolutely nothing, in government will change.

Instead of appeasing and bending to pressures of the federal bureaucracy this administration needs to find some backbone and stand up and make it more lean, agile, and responsive to entrepreneurial change. My personal metrics for determining if this administration or any administration is up to the task is when the MSPB is overwhelmed by tens of thousands of cases of dismissals, the courts are backlogged taking appeals from the MSPB, and housing prices in the DC area start to fall at least 10% from all the "beltway bandits" and entrenched bureaucrats being forced out of town.

anonyFebruary 10, 2017 4:19 PM

Can someone post this up on the Squid when it shows?

"A script to completely take over a running Linux system remotely, allowing you to log into an in-memory rescue environment, unmount the original root filesystem, and do anything you want, all without rebooting. Replace one distro with another without touching a physical console."


https://github.com/marcan/takeover.sh

TedFebruary 10, 2017 6:50 PM

Although creating a Consumer Cybersecurity Product Safety Commission (CCPSC) went without a specific mention in the From Awareness to Action final report and press release, it did receive some valuable and lengthy consideration in one of CSIS’ seventeen “Cyber Policy Task Force” Working Group Discussion papers.

“Establishing the U.S. Consumer Cybersecurity Product Safety Commission (CCPSC) would allow the government to improve cybersecurity products and services, identify insecurities, respond to infractions, educate consumers, and improve coordination with the private sector."

As a corollary to the Consumer Product Safety Commission (CPSC) created in the early 1970s to oversee product safety standards for products ranging from pacifiers to walkers, the paper raises the idea that a cybersecurity product safety commission could similarly provide quality and efficacy safeguards for the cybersecurity consumer market.

https://www.csis.org/programs/technology-policy-program/cybersecurity/csis-cyber-policy-task-force

https://www.cpsc.gov/

73018753February 10, 2017 10:31 PM

Going by the title, I thought this post was going to be about Canadian spies.

CSIS = Canadian Security Intelligence Service

DroneFebruary 11, 2017 7:43 PM

"There is no technological solution to the problem of cybersecurity, at least any time soon, so turning to technologists was unproductive."

This statement is sooo wrong... "Technologists", for the most part, DO know how to dramatically improve our level of security - but Management and/or the Political Elite do not allow them to do their jobs. This is because (1) they don't understand the solution (much less the threat), and/or (2) the solution inconveniences them in some small way.

More than once I have warned Management about vulnerabilities only to be put on a back burner. Then when a vulnerability is exploited, I'm the first to be blamed. The only way I survive is by making sure my rear-end is covered.

Stephan eldred Vanhoek February 12, 2017 2:32 PM

With all due respect, it all comes down to the same runaround BS. Sure , untill all devices are fully proprietary and serve themselves cybersucrity will be a major issue, but is that an excuse not to to do the obvious? Like addressing the problem of sneaky and forced permissions. Or perhaps applying monopoly laws to the high level of cooperation between corporation. I believe at the very least a government server is in order.
Incompetence is not a good excuse

Title?February 15, 2017 11:43 AM

I also found the title misleading as I thought it too was: CSIS = Canadian Security Intelligence Service

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.