Sorry, but the government is not going to FIX our cybersecurity problems
Despite their "BEST" efforts
On the 12/5 edition of the CyBUr Smart Morning News Update (available at all your favorite podcast providers) I mentioned the article in this link: CISA's Eric Goldstein wants to ditch 'patch faster, fix faster' model | CyberScoop. I always click through these types of headlines because there are always government officials who think they have the magic bullet to solve our cybersecurity woes. After spending 20 years in the FBI watching the internal machinations of the federal bureaucracy, and paying close attention to it post-FBI (and yes you may accuse me of being jaded, and I might admit there is some of that) I don’t think that calvary is up to the challenge.
Now I don’t mean this to say those in the government (here or elsewhere) are not well meaning, honestly want to find a solution, and aren’t knowledgeable. I simply do not think the randomly making suggestions, creating Executive Orders (with no teeth), or adding to the national Regulation registry will have the impact these officials think they will.
Let’s look at Mr. Goldstein’s “idea”. From the article (he was speaking at an event held by the nonprofit International Information System Security Certification Consortium):
“To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model,” Goldstein said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.” Goldstein, the executive assistant director for cybersecurity at CISA, argued that delivering broad gains in computer security requires a “philosophical shift” that puts a smaller burden on school districts, water utilities, and small businesses to maintain secure systems, and asks more of the large companies to provide secure software and hardware.”
Sorry to say, but this is not a unique proposition. I am pretty sure we have asked HW and SW companies to improve security inherent in their systems since the dawn of HW and SW. The fact is, humans create these systems, humans evaluate these systems, humans test these systems before deployment, and (most importantly) HUMANS ARE FALLIBLE. A perfectly secure system is not practical (at least if you want to be able to actually sell it at an affordable price or in a timely manner.)
Now I do not doubt Mr. Goldsteins sincerity in this being a good idea (especially since he was “speaking to the choir” with this quote), and he has a seemingly lengthy cyber resume, but I think experience has shown that pontifications like this solve nothing.
So, do I have my own solution? Thanks for asking because yes, I do. Now this is my own opinion and I fully expect, and welcome, differing opinions but I think this a larger issue than just “patching cadence” and how secure HW and SW is. It is a lack of a well-defined cyber strategy and cyber leadership culture in the organizations Mr. Goldstein was speaking to. How do we help SMBs, municipalities, schools, non-profits fill this gap? By creating opportunities for community knowledge sharing, easily accessible and actionable cyber intelligence, and benefits to these organizations to engage in filling these gaps. I’d love to see discussions on tax breaks, regional grant opportunities, or other monetary inducements that would entice organizations to focus in these areas. Perhaps that is too simple (and in rereading this maybe it is), but we need to do some basics first before finding one global, all-encompassing (not likely to work) solution.
More carrot, less stick.
Dissenting (or concurring) opinions/comments/thoughts are always welcome.
Enjoy your week.
#knowledgeisprotection