Is the US Government Making Security Worse?

The topic of "cybersecurity" is once again very hot in Washington, DC. Unfortunately, this means it's in the domain and purview of politicians, which should make any self-respecting professional wince. After all, it's not often that politicians get regulations "just right"... one need only look at recent failures like No Child Left Educated (er, Behind, I suppose) to see just how bad things can get when politicians cross the line from legislating toward outcomes vs. legislating very specific practices. The electricity sector provides another ready example, though a bit more complex, insomuch as the detailed NERC Critical Infrastructure Protection (CIP) requirements have overwhelmed organizations that have displayed an underwhelming since of urgency or competency around the topic of cybersecurity.

The point to this mild rant is simply this: the more deeply politicians seem to get involved with cybersecurity, the worse things seem to get. And, lest we be led astray, we should not forget that, aside from the Education sector, civilian agencies in the federal government are perhaps the worst offenders when it comes to failing to implement reasonably solid cybersecurity. There are a few reasons why I think this is the case.

1) NIST Is Not the Answer

I've already written a bit about standards devolving into compliance regimes. However, there's more that needs to be said on the topic, especially as it applies to NIST and FISMA. Of all the compliance regimes I've seen, the one operated by the US Government is the worst offender in terms of ignoring reasonable risk management functions in favor of mindless compliance with requirements that may or may not make any sense in context. Let's look at three examples of where NIST fails.

RMF and "Worst Case Scenarios"

NIST's Risk Management Framework (RMF) is a prime example of compliance regimes gone bad. If RMF were to lead to performing actual risk analysis, then perhaps things would be better. Alas, it's not the case. In fact, it's worse than you might imagine. Rather than not doing risk analysis, they actually advocate doing a very poor approximation based - not on what's reasonable or realistic - but on "worst case" scenarios. It's no wonder everything in the federal space seems to be driven by FUD.

Evidence of this allegation can be found in response to the first question listed under the RMF "Step 1 FAQs" - "1. WHAT IS SECURITY CATEGORIZATION AND WHY IS IT IMPORTANT?" - which says:

"The security category is based on the potential impact (worst case) to an organization should certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets and individuals, fulfill its legal responsibilities, and maintain its day-to-day functions."

So, specifically, their "risk" assessment is based on the potential "worst case" impact. Using such an analysis will inevitably lead to poor decision-making, since almost everything can be twisted under a "worst case" mindset to have potentially catastrophic effects. This is not risk assessment or risk management: it's fear-mongering, and a lousy way of life.

DOE RMP & ESCRMMI

Similar thinking is now emerging within the world of the energy sector, and specifically through the DOE "Risk Management Process" (RMP) - adapted directly from NIST RMF - and the DOE "Electric Sector Cybersecurity Risk Management Maturity initiative" (ESCRMMI), which is not about risk management, but rather about assessing security capabilities in electric sector organizations.

There are many issues around the energy and electric sectors (critical infrastructure in general, really), and this post is not about that. Rather, the key here is to note that the government is once again pushing a prescriptive approach, rather than trying to legislate to a desired outcome. Oh, sure, they think they're driving toward an outcome, but the problem is that their approach is outdated, provably wrong, and detrimental to cybersecurity improvements. These approaches are being sought because of the perception that the NERC CIP requirements haven't been adequately met, and that the electric sector is so woefully insecure that a catastrophic event is in the offing.

Of course, as noted above, we should not be surprised by this fatalistic mindset based on "worst case" thinking - it's how they view "risk assessment"! However, it's also worth pointing out that electricity is still quite reliable and that, despite incidents and outages, the built-in fail-safe reliability measures have - by design! - prevented a major catastrophe. Unfortunately, any risk assessment and analysis that does not take into consideration the probability of given scenario impacts will overlook these truths in favor of FUD and rhetoric. It should give us pause and make us question the agenda(s) that may be in play (e.g., DHS and US CyberCommand perhaps making a play for more direct control over critical infrastructure cybersecurity - not that they have any track record of success in this space!).

Quashing Innovation Through Specificity

All of these various initiatives have one thing in common: They're overly prescriptive, leading to mindless compliance regimes, and resulting in a detrimental impact on creativity and innovation. If the government applies it's old school thinking to the problem, and then prescribes in great detail their old school approach, then we should not be surprised when a) it fails, and b) it causes people not to seek improvements, but to simply do (and think) less. We do not need more mindless compliance today; we need more innovation!

2) Poor White House Leadership

One might want to eagerly attribute government compliance regimes to Congress since they are ultimately the ones who created the organizing frameworks. However, I think that attribution would be misplaced. Specifically, I think that the White House is increasingly to blame for the wrong directions being followed. Many had high hopes when Howard Schmidt was appointed as Cybersecurity Coordinator for the Obama Administration. Unfortunately, if what I've seen and heard lately is any indication, the wheels are coming off this crazy train, and fast.

Lest you think this is just random innuendo, consider a couple examples... the first is DOE ESCRMMI (mentioned above)... there were a couple interesting attributes to this project. The "ask" from the White House was "assess the security capabilities of electric sector organizations." Somehow this turned into a CMM-style "risk maturity model" that has little to do with "risk" and isn't even really about measuring capability maturity. Rather, an incredibly short timeframe (by government standards) was set to get the assessment running (about 4 months). As such, those behind the initiative appear to have spent more time going down a familiar road (e.g., building off of the Smart Grid CMM) rather than researching and evaluating other viable methods. Ultimately, this comes directly back to the White House.

In at least one other case, I've heard anecdotally that the White House is pushing back on a current line of innovation, questioning the trustworthiness of key components, and advocating an alternative approach that essentially scraps the entire innovation, with the added "plus" of asking for a complete 180-degree flip in data flow (as if this is something that can just be magically done). No clear indication has been revealed thus far as to why their approach - which seems to cater to the whims of auditors (because they're never wrong) - would be preferable. Suffice to say, it's frustrating to be an industry where innovation ends up being actively undermined by people living in an antiquated mindset. Why enable the current failed practices when the important aspects can be automated, freeing traditional resources (like auditors) to focus on more important concerns? (btw, this is not a new problem - it was mentioned at least as far back as 2010 when the current wave of "continuous monitoring" initiatives were starting to gain traction)

If only this was our only challenge...

3) Counter-Productive Legislation

If we're looking to politicians to solve our problems, then I hate to say it, but that's just one more thing we're wrong about. More importantly, we do not need inexpert politicians telling us how to do our jobs. Rather, where regulations are often most effective is in legislating a desired outcome, such as legal defensibility, survivability, or data privacy. Alas, in this age of insipid corruption and excessive corporate influence, we are seeing regulations that are increasingly detailed, and obviously designed to either benefit specific special interests, or be so detailed as to be unsupportable.

To make matters worse, we seem to be in an era of unprecedented government overreach, with politicians not only selling-out wholesale (such as with ACTA and SOPA/PIPA), but also trying to grab more and more power in the digital realm (such as with CISPA).

So, to bring things back full-circle... not only are we seeing exceedingly specific pieces of legislation, sponsored by unqualified amateurs, based on grossly outdated concepts, and serving the needs of special interests, but they're also written in such a way that they expand the role and power of the central government, which cannot even seem to secure its own systems. This doesn't strike me as a recipe for success. In fact, I think I'll go so far as to say that "no good can come of this."

More importantly, we need to mindful of any regulation that is so specific as to dictate how to do cybersecurity. Such a bill is not productive, and is immediately in danger of becoming obsolete and ineffective before it's signed into law. Instead, the focus needs to be on legislating toward a desirable future state; one that puts a premium on rigorous, defensible risk management, increased visibility and detection, continuous monitoring and reporting that helps shorten the lifecycle on incidents, and an overall approach that ensures survivability rather than implementation of arbitrary controls that may or (more likely) may not make any appreciable difference.

Closing Thoughts

Allow me to close by doing what I've done many times in the past: drawing a parallel with education. We've seen the impact of No Child Left Educated (er, Behind). Schools have shifted dramatically away from "education" to "training," with the end result of teaching to test, incentivizing teachers to cheat in order to save their own jobs, and an overall effect of decreased educational quality. This is a prime example of federal government overreach making a bad situation worse.

Now, in contrast, let's look at the public school system in New Orleans. Yes, that's right, New Orleans - the Big Easy - a notoriously low-end urban environment that historically produces violent drop-outs. According to a recent OpEd in the Washington Post, the schools there have started improving dramatically in the aftermath and recovery from Hurricane Katrina in 2005. Why? It seems that the local politicians have gotten out of the way of teachers and administrators, and have shifted to a more outcome-oriented approach. With a directive to make the schools better, and holding people accountable, the results are quite interesting.

The only major negative I still see in the piece is the use of standardized tests as the benchmark of success. As such, this may just be an example of effectively teaching to the test. However, the point still stands: performance increased while politician intervention decreased. In general, innovation thrives when it's not being actively quashed by those in power.

Suffice to say, it's a small victory, but a positive sign. Hopefully it's an early indicator of changes in other areas, including changes in cybersecurity. If ever there was a time to innovate and start demonstrating a better reality - one that beats out the constant deluge of FUD - then now is it. We can get there by making better use of risk analysis techniques, as well as by demonstrating that reasonable outcomes are achievable. Showing positive changes that break from the failed mindset(s) of the past would be a great way to counter all the bad changes that the US Government has been promoting as of late. Here's to hoping for a better future!

About this Entry

This page contains a single entry by Ben Tomhave published on May 1, 2012 3:38 PM.

Where's Ben? (May 2012 Edition) was the previous entry in this blog.

SIRAcon Wrap-up is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7