This is probably why we can't have nice things!
Those who make the rules should probably work out the kinks internally.....
On the most recent edition of my daily podcast, the CyBUr Smart Morning News Update (available at all your favorite podcast providers) I talked about these two headlines:
“US State Dept has no idea if its IT security actually works, say auditors” (https://www.theregister.com/2023/10/02/us_state_security_gao/)
“NATO investigating breach, leak of internal documents” (https://cyberscoop.com/nato-siegedsec-breac/)
I highlighted these articles because the US government and NATO have “cyber strategies” that they would like to impose upon everyone because they have an inflated belief in their own capabilities and “knowledge” of what cyber even means or how to address it.
Now admittedly, this sentiment is coming from a career of 20 years seeing the government from the inside: the good (the people doing the day-to-day business) and the bad (leaders and decision-makers, not all - but enough to set a standard). And to be honest, I am sure the decision-makers coming up with cybersecurity standards, policies, requirements, EOs and the like, are, for the most part, well-meaning, but they run headlong into the fire, without understanding the full scope of the problem and therefore not really poised to develop the right strategy to address it.
The two articles referenced show that both NATO and the USG have pretty crappy internal cybersecurity controls, and likely strategies to deal with the the world of cyber bad actors. Granted the first article only references the State Department, but I would wager their issues are repeated across many other USG departments (do a quick Google search - reports are plenty) and the news on other agencies bad practices are coming. So I do think that incidents like this tend to undermine the trust and faith that overarching cybersecurity strategies these entities reign down from on high are worth paying attention to. Perhaps policymakers should take some time to gauge if they truly have a handle on the depth and breadth of the problem and can create solutions to address it.
IMHO, the only way to really get on a true path towards a solution of creating cybersecurity strategies that can be globally accepted is to partner with entities outside the federal playground to evaluate intelligence, anticipate cyber evolutionary changes, and create solutions that they use themselves and have a track record of success. History shows the way they are currently doing it does not have such a track record. And sadly, I’m not sure much will change soon.
Opposing opinions and thoughts are welcome.