Better Government Cyber Security: don’t hold your breath

It is one thing to plan, something else entirely to turn it into reality:

The DHS plans to collocate private-sector employees from the
communications and IT industries with government workers at the U.S.
Computer Emergency Readiness Team (US-CERT) facility here, said Gregory
Garcia, assistant secretary of cybersecurity and telecommunications at
the DHS. The teams will work jointly on improving US-CERT’s information
hub for cybersecurity, Garcia said. The agency didn’t specify a
starting date for the program but said it will begin soon.

Every corporation willing to give up a top-notch employee to a rotation to the government (out of the goodness of your heart, because you’ll have to eat their salary) raise your hand.

Every highly-skilled private sector employee willing to support two households for a year on your current salary and who is prepared to subject yourself to the grinding bureaucracy of DHS, line up over here.

That’s what I thought.

Mr. Assistant Secretary, you can’t do this on the cheap because you are going to get what you pay for. The money Uncle Sam paid your predecessor could comp industry for 3-4 great folks. A little COLA adjustment wouldn’t hurt either, but that’s icing. I’m assuming that since you came from a private-sector lobbying gig you understand how the economics works, so I’m also assuming that you are wed to this course of action because of circumstances that are out of your control. When this effort comes up short, you might want to begin a lobbying effort to change those circumstances.


What Year is This?

I feel like I’m taking crazy pills here . . .

The Homeland Security Department finally named an assistant secretary for cybersecurity last year, and the Senate ratified the first international treaty on cybercrime.

The Computer Security Industry Alliance had lobbied for these achievements for more than two years and counts them as big wins, said acting executive director Liz Gasster. But the nation still lacks a comprehensive data security law, and DHS needs to develop response and recovery plans for disruptions of our critical infrastructure.


CSIA has set out a cybersecurity agenda for government for the last two years, with only indifferent results. In its Federal Progress Report for 2006, it gave the administration an overall grade of D because of failures to pass privacy legislation and to set clear priorities for future work.

It seems like just yesterday that RTM shut down the inter-tubes with his Sendmail experiment. In the aftermath CERT/CC was born (gov’t sponsored but run by the academy – a foreshadowing) and annual projections of a) the death of the Internet, b) the need for more cooperation, and c) the need for more legislation followed. In the mean time we’ve had a few Digital Battle of Wake Islands, the .com boom and bust (and .com bust-boom), too many parallels to Snow Crash to count and version .9 of Hari Seldon’s Encyclopedia Galactica.

Every year the same discussions, every year the same problems, every year more threats, every year we expose ourselves more and every year no forward progress. Why?

Main St. Fallujah

This story from LGF and this bit by Lind seems to suggest that maybe Fallujah in your home town might not be that far off. I suggested as much in both written and verbal formats, though like Lind I was focusing on different perps and victims. Domestic reporting indicates that the raw materials are readily available (to the baddies) in bulk and if there isn’t a Jihadist Web site (or old Army FM) with the requisite know-how online I’d be surprised.

Consider this your friendly neighborhood threat warning report . . . I elaborate at ThreatsWatch.