Three notes at the start:
- There are many talented people in OT Security who have lost and are losing their US Government jobs. There will be contractors who lose their jobs. This is an unearned hardship, my hope is all will land somewhere even better quickly.
- It took time for USG / CISA to recruit this talent and build it into a team. It is a serious loss of a capability.
- CISA and other USG departments do a lot of things. I’m only aware of, and this article only applies to, their role related to private sector OT security.
Four thoughts:
No Metrics / No Evidence That There Will Be Any Negative Impact
Loyal readers know I’ve been frequently critical of the USG / CISA’s near total lack of metrics related to risk reduction or OT security program improvement in the US OT critical infrastructure. Now it comes back to bite USG / CISA proponents.
They can neither point to the success the employees and expenditures achieved. Nor will we be able to point to any lack of progress or degradation based on the cuts.
USG “Success” Was Activity, Not Progress, Based
The vast majority of the objectives in the US Cybersecurity Strategy and Implementation Plans were study this topic, stand up that group, write this report, … and the USG proudly said they accomplished 92% of their initiatives. Did it reduce risk? Make US OT critical infrastructure more secure? More resilient? No evidence has been provided pro or con, but these 5 groups stood up, wrote 12 reports, and held 23 coordinating meetings.
One somewhat comical example was the “success” of the fourth annual global gathering of the International Counter Ransomware Initiative meeting, never mind ransomware incidents and costs had gone up each of those four years.
I’d much rather have heard about the 10 things CISA tried that failed, and how they are altering their approach or even trying something different. These are hard problems. And not failing is not trying in most things.
Going back to the first point, there could have been some things that led to risk reduction or improved security or resilience. Not measuring hides success as well as failures.
Much Of What CISA And Other USG Did Was Of Minimal Value
Such as:
- 8-figure programs to test and identify OT software and hardware was insecure by design or had 101 level vulnerabilities. Something done by five pro bono researchers in a week in 2012. Something well known by the OT security community. Something those vendors could have found out much, much cheaper (if they didn’t know already).
- All those guidance documents repeating well known and documented 101 level information.
- Programs to prove security technology x could be used in vertical sector y. Was there really any doubt?
The quality of the work on many of these programs was quite good. Again, it’s not a question of the talent. It’s a question of why we were asking the talent to do a lot of this.
Tremendous Opportunity For Asset Owners
Let’s end this with a hopeful item. A large (for the US OT security sector) amount of talent will suddenly become available, be on the job market. And they were not making crazy startup salaries.
Asset owners have sometimes struggled to convince top talent to join their OT security team. This is a great time to build out your team before the next hiring wave makes it a tight market again, like it has been most of the time since ~2017.