One CEO’s Not So Rosey Take on the Cyberspace Policy Review

The President’s Cyberspace Policy Review was issued on Friday, and I suppose I should get in the long line of CEO’s from the IT security market and commend the study as “groundbreaking” or “impactful” or “a giant leap forward”.  I do believe the study was a first, albeit small, step in the right direction.  Defining the depth of the problem, calling for cooperation with the private sector, and creating a position responsible for the nation’s cyber security are all positive steps to be sure.  But after reading the report again I find myself very disappointed by what was released, as I saw very little in the report that showed tangible, immediate steps forward. 

I therefore have to step out of that line and join the very small group that is not patting the back of the government for a job well done.  I have picked up on some indirect dissent in the market with some writers using terms like “…so far…” until they see more meat on the bones.   John Pescatore, the respected Gartner Analyst on IT security notes in his blog post on the subject that the review “recommends response over prevention” and adds that it is “basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires”.    

As the CEO of a small IT Security company, perhaps my direct interaction with our customers and prospects provide me a better glimpse of what is going on in the real world in a less sanitized, more firsthand way than most.  Specifically I have seen the results of attempts to implement security policy in the federal space without well defined enforcement.  In Triumfant’s role as a certified NIST SCAP vendor for FDCC Compliance, I have seen large agencies that not only do not adhere to FDCC Compliance mandates; they do not appear to have a plan in place to begin the process in the near term.  Numerous stories chronicle how agencies continue to miss the OMB deadlines, which I attribute to the fact that there is no enforcement or consequence of non-compliance.  I see organizations that have liberal personal use policies that allow their employees to fill endpoint machines that handle sensitive data with games and music sharing applications that have known vulnerabilities.  These vulnerabilities have already been traced as the source of the compromise of sensitive information about the President’s own helicopter and the nation’s most advanced strike fighter (which apparently has not yet been resolved).

I also found the Sputnik reference in the document to be quite disarming.  Lyndon Johnson’s declaration that he did not want to go to sleep by the light of a Russian Moon was against a threat that would take at least a decade to progress past the simplicity of the Sputnik launch and America was already well on its way toward launching its own satellite.  The Sputnik analogy disintegrates when you consider that it is generally accepted that cyber criminals from foreign lands have already infiltrated the power grid and other critical elements of the country’s infrastructure.  We are not ten years from losing command and control – the evidence shows that we already have.  The time to ramp up science and mathematical skills has already been ceded.  Real action is required, and those actions must have enforcement teeth to succeed.  More years of analysis and broad suggestions will only put us further behind.

I am also concerned that the Whitehouse is not looking past the larger companies in IT security for guidance on the way forward.  I have said it before – the solutions for many of the problems we face will not be found in the center of the exhibit hall at RSA, yet those were the companies visible at the announcement.  To be clear, I am in no way implying that these companies are in any way corrupt or lack a commitment to the United States.  But when change is a necessity, it is best not to look toward those who stand to benefit most for more of the same as agents of change.  It is obvious that many of the changes needed to take significant steps forward will potentially upset the status quo and may therefore be disruptive to the established revenue streams that these companies enjoy. 

One does not have to look far for an example.  General Motors filed for bankruptcy protection yesterday on the heels of the earlier bankruptcy filings for Chrysler.  It was not that long ago that the government looked to GM and the other auto manufacturers for solutions to fossil fuel consumption.  But there was little incentive for these companies to innovate and upset the profitable ecosystem that they enjoyed, and they ceded that role to global automakers whose ultimate success has been a significant contributing factor to the demise of GM and the others.  I would also add that these automakers did not step up to fuel efficiency until the government added enforcement in the form of stiff corporate penalties if aggregate MPG ratings did not reach certain thresholds – again showing the need for teeth to drive progress. 

I have some other concerns about the review.  Why was the announcement pushed to a Friday of a short holiday week?  That hardly gives the impression that this is front and center in the administration’s priorities.  Why is the Cyber Czar position a less prominent position than promised during the campaign and less than those in the Whitehouse were hoping for?  Combining these subtle signals with the lack of hard and tangible detail in the review and I am not feeling a sense of urgency nor am I confident that we will move from rhetoric to action in the near term. 

The evidence is all around us – the time for conversation is well past.  If this report is followed by tangible and concrete actions that result in real changes that have a sense of urgency and a structure of rigid enforcement with real consequences for noncompliance, than I will be the first to applaud.  But right now you can mark me down as underwhelmed and unimpressed by this first step.