Feds Persist with EO Talk, Despite Being Pwn3d


A quick jab... allow me to once again highlight the absurdity that is the US Government when it comes to "cybersecurity." They simply don't get it. I'm not surprised, incidentally, since they are not technologists or security professionals, though this underscores why I'm continually annoyed by their insolent attempts at ramming solutions down the throat of private industry.

As of late last week, DHS Secretary Napolitano has said that the pending Executive Order on cybersecurity is nearing finalization, implying that this is essentially a "done deal" that will be executed. Ironically, while the politicians and bureaucrats tout their progress, we learned this morning that the White House itself may not even be able to protect some of it's most important assets (the "football"). So... this is the example we're supposed to follow? Do as they say, not as they do?

I'm obviously not going to go back and re-hash my "3 Simple Ideas to Unbalance the InfoSec Status Quo" post, but suffice to say, I'm in favor of simple rule changes that will cause the market to readjust accordingly. This is America, home of an alleged free market economy. We do not need ignorant, over-confident, non-technical politicians and bureaucrats telling us how to run our businesses or how to secure our assets.

If it were so simple as to write down a bunch of detailed standards, then the US Government itself would surely not be having the myriad problems that makes them one of the most compromised organizations in the country (if not the world). This is the same entity that has lost tons of classified information around nuclear weapons and advanced fighting platforms. Are we really supposed to believe that any form of detailed technical legislation or Executive Orders will somehow magically "solve" the problem that they so clearly haven't defined or understood? Methinks not...


The Beacon article about the Whitehouse "hack" is incoherent. It come off as someone feeding the media beast a bunch of headline phrases from unidentified sources about a story with no substance. For what purpose, one wonders.

True... however, this is hardly an isolated or unique story... it's merely the latest example of (potential) incidents...

Ok, but it isn't a story. It's manufactured nonsense. Linking to it undercuts what are otherwise reasonable points. Better to link to a real instance where they messed up. Shouldn't be hard!

The incident has been confirmed by the White House...

I hardly think it undermines the point of the piece if the story is in fact true.

Someone in the Whitehouse, on a non-classified system clicked on a spear phishing link. The incident was isolated. WH official: "These types of attacks are not infrequent and we have mitigation measures in place." This is news?

I'm not in disagreement with your point about the "absurdity that is the US Government when it comes to "cybersecurity"". Same point is made in this piece in Forbes:

*shrug* Fine, it's a weak example. The point, however, is that no detailed technical standard - especially not one codified as law - is going to do anything to stop these incidents from happening.

Re-hash or not, this post sums up the situation poignantly. "Do as they say, not as they do?"--"new" problem, textbook cliche governmental incompetence. You called it how it is.
"...ignorant, over-confident, non-technical"--these words perfectly describe the condition of being a child minus "non-technical." If we elected literal children instead of (wo)man-children, would policy actually be more effective? We'll never know until we try!

About this Entry

This page contains a single entry by Ben Tomhave published on October 1, 2012 10:16 AM.

Quick Thoughts on ISC2 Security Congress 2012 was the previous entry in this blog.

The Absurdity That is EGRC is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7