I finally had a chance to read through the Center for Strategic and International Studies [CSIS] paper on Securing Cyberspace for the 44th Presidency. This group appears to have some clout so some of the recommendations may come to pass.

Still mulling the recommendations over, but here are my early thoughts.

1. The reorganization of responsibility will introduce delay and is unlikely to improve the situation

Let’s say the National Office for Cyberspace comes to be early in the Obama administration. We are in for an ineffective time period and disruption while the new organization is ‘stood up’ and everyone figures what their new role is in this organization. Is it six months, a year or longer before the new organization is effective? Anyone who has dealt with government stand up efforts and associated bureaucracy is probably shaking their heads.

Many loyal blog readers have been involved in one or more re-orgs of large organization, especially with arrival of new management. How often has that really made a dramatic difference? I don’t see the organizational structure being even close to the biggest impediment to date.

2. This whole consolidation / czar concept that is the rage is flawed, at least as related to information security.

We like to think that we can bring in a superstar with charisma to become the czar, e.g. drug czar, education car czar, cyber security czar, …, and all will be well. In this control system cyber security effort I’d argue the key is the people three, four and five levels down from this charismatic czar.

The one exception where a new structure and charismatic czar would work is if you have a talented and motivated team in place that is being stopped from being effective by completely inept leadership. That is not the case here.

The biggest problem I have seen is a lack of talented control system security resources in the various government organizations trying to solve this incredibly hard problem. To make matters worse there is an incredible amount of turnover. Look at how many people we have heading up the control system security effort at NCSD. Please note that I said lack, not absence. There is some control system security talent in DHS, DoE, EPA, GAO, … just not close to enough and not there long enough.

Security is hard, detailed work on technical and administrative security controls. It is also not a one-time event, play the “security is a process” card here. It is going to take a large, broad and skilled team to address all the critical infrastructures.

3. Politics Does Not Support Addressing The Most Significant Risks First

Can you imagine anyone in government saying we are not going to address critical infrastructure cyber security in ten to twenty states because they have a low population and would affect the economy much less than a successful control system cyber security attack on any of the other thirty states? It can’t be said or accepted in the government. This is a crude example of the problem of being in the government. There are so many times when the right answer is “we are not addressing X serious risk now because we are addressing Y even more serious risk first”. Imagine the press a statement like “US Government admits it has no plans to stop X attack and will not address this problem until 2010.

When we perform a first control system security assessment with an asset owner, there is always a huge amount of cyber security work to be done to get to an accepted risk level. It can be overwhelming, and this is just one organization. They have to understand an organization can’t go from zero to strong security in a year, probably not even in two or three. However by focusing on the items that offer the greatest risk reduction, the improvement in security posture is typically huge in that first year.

I think the most important sections in our assessment reports is the list of prioritized 5 short term and 5 medium term actions. Our good clients get those done in year one and then move onto the next items that offer the most risk reduction. Our best clients have a very strong control system security program after three to five years and at that point they are primarily focusing on maintaining and auditing their security posture.

If I were control system security czar, I would try to identify a small number of high risk reduction actions that could be accomplished in six months, twelve months, and then try to prep for the actions for the next year. A huge amount of risk would consciously not be addressed at all, and this is what is not acceptable when you have to testify to Congress or report to the President and his staff.