What are your thoughts on the recently issued Executive Order on Improving the Nation’s Cybersecurity?
The order covers a lot of ground, including:
There is even a directive for the creation of “pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices…”
What are your thoughts? Are the right areas being addressed? How impactful do you feel these directives will be?
Aren't the largest breaches in the non government sector, still?
Every incoming US president creates a security/information security/cybersecurity
In this instance he really didn't have a choice with the pipeline incident. One of those damned if you do and damned if you don't type of situations. And you're right about information sharing with the U.S. Gov. on it typically being one way. Hopefully, this will at least help with information sharing within the U.S Gov. itself though.
I'm more pessimistic than optimistic on this actually helping prevent future incidents like with Colonial pipeline. I think the focus should be on the regulatory agencies overseeing Critical Infrastructure for actual change to happen.
There's already the CISP (Cyber Security Information Sharing Partnership) run by NCSC in the UK. It's of some value, but even with the traffic light system in place many organisations are wary about sharing information about the incidents and near misses they've suffered. The problem with if you show me yours I'll show you mine, is that hardly anyone want to make the first move to share info. I usually wound up ringing the GovCERT UK duty handler instead.
Having spent 25 years in the US federal government I can tell you this. The best and brightest minds are not working there, especially since I left (HAHAHAHAHA!). The problem is that they cannot afford the best talent because of the archaic HR system and incompetent HR practitioners. And also archaic procurement rules. I switched multiple federal jobs due to HR incompetence. Why did I stay for so long you may ask? Simple. Job security. It was comfortable and reliable. I watched as coworkers sitting right beside me as contractors made 50K/year more than me for doing the same job, well without the fact that I had to approve their work. I saw plenty of lucrative positions that I didn't want to take the risk on since I had a young family. Now that they are almost grown and out of the house, I plan to make the jump and take more risks. I saw plenty of bright young talent leave after gaining a few years experience for more lucrative positions that we in the federal government couldn't match. You really want to fix US government cybersecurity? Pay more. Be able to fire the poor performers. In my 25 years of US federal service I saw plenty of incompetent workers able to keep their job because they were either protected by unions or there were plenty of old HR rules to make it nearly impossible to get rid of poor performers.
Seems like there is always money available AFTER an incident than there was before. So you have to have a crisis to get better. Add in to that the disjointed nature of the myriad of government agencies, you see the same money being spent multiple times by different agencies to solve THE SAME PROBLEM!
And don't get me started on the antiquated technology being used.
Information sharing???? out of the 16 intelligence agencies, exactly 0 trust the other agencies with their gathered intelligence and only share sparingly or when forced to. No agency wants to be eliminated because another agency is doing the same job and gathering the same data. Plus they all want to feel special and unique.
They should have just hired me for a large salary and I could have fixed it all for them. But their budget is only so big, and HR says I haven't held "high" enough positions or their computer screened me out because I didn't check the right boxes or the HR practitioner doesn't understand what a CISO or CIO actually does and can't relate my experience to the position or I didn't put the exact right keywords in my resume, etc. etc.
@CISOScott But wasn't Homeland Security created to stop the stove piping of information between agencies? ok, ok, when you stop laughing! I have been a member on Infragard for years and while they did share a little information back in the day any meaningful information has all but stopped. Now it's more reports and general alerts. I remember how disappointed I have been when I get alerts faster and with more information from the news than I do from Infragard. And I agree with everything you said. So much of the government is a gun culture that they have always been way behind in understanding IT and respecting those in it.
A year on, how is it going ?
What do you think? Is it having an impact?