As I read the twelve initiatives of the CNCI, I was looking for its strong and weak points. However, I couldn’t help but think about the level of effort that was required to produce these nice words on these general thoughts. Is this document and the program around these initiatives going to produce the dramatic increase in effort and effectiveness that is needed? I’m skeptical.
And I have a question for loyal blog readers. Many of the initiatives focus on centralization. Manage the Federal Enterprise Network as a single network enterprise. Deploy IDS/IPS across the whole enterprise. Coordinate all R&D. Government wide counter intelligence. This is similar to idea that if we combine all these Federal Agencies into DHS all will be well. Is this a good thing? At this point I don’t how I would answer that question.
The final initiative is directly related to control systems. “Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains”. If you read the corresponding paragraph, it interestingly does not match the Initiative description of “defining the Federal role”. What should the Federal role be? Should they mandate cyber security measures for private critical infrastructure companies and have enforcement mechanisms similar to the electric sector? Should they simply provide security guidance? Emergency response assistance? What should the USG role be? Should it be more like the European model that seems to be making more progress with less furor?
Instead the paragraph on Initiative 12 talks about building on existing partnerships, creating public/private information sharing, etc. These are all items, particularly information sharing, that have been talked about and organizations purpose built for these tasks for five or more years. I don’t think it is controversial to say that the results have fallen far short of expectations. So far there has not been a shift in the benefits to participation or significant USG changes in approach that would lead to these efforts now bearing fruit.