By: Stephen W.T. O'Keeffe, Founder, MeriTalk (www.meritalk.com)
You see, my stepfather was a bookie – "turf accountant" as they're known in the old world – so, I know a little bit about the ponies. If you had a horse with excellent breeding, build, and upbringing, we'd call that a CERT – as in certain to win. If that CERT can't manage to win, or for that matter show or place, the first thing the trainer does is change its routine. If that fails, they change the jockey. And if that fails, the owner changes the trainer.
Well, if Federal cyber security were a horse – CERT – I think we'd all consider it an important mount. So let's study the form back to 1990. We've seen a lot of this colt in the paddock and the owners have pumped out a lot of paper underlining their commitment and race strategy – see Clinton's PDD 63, Bush 43's NSSC, and now Obama's 60-day Cyber Review. In the last five years, CERT has had four jockeys – Yoran, Purdy, Garcia, and Kwon. And now we have a new rider – Randy Vickers, promoted from within DHS NCSD. Since 2003, we've seen trainers come and go – Clarke, Beckstrom, and now Hathaway. In the same timeframe, the Feds have lost their FISMA religion; TIC is at best confused; and every Tom, Demetri, and Hao is galloping through our cyber defenses. Oh, and the cloud push is significantly increasing the complexity of the problem – or perhaps affording an opportunity for a new, innovative, and more elegant solution? It's not like hackers and uniformed cyber warfare officers from competing nation states are pipping CERT at the line. At most meets we can't even get our pony into the starting gate. It's no wonder that a series of candidates have passed on the opportunity to fill Hathaway's shoes. Considering performance, to put it politely, you'd have to be crazy to take a flutter on this gee-gee.
So, is CERT headed for the glue factory, and if so, why? And, what, you may ask, do I know about Fed cyber security, U.S.-CERT, NCSD, and the public-private debate on securing our nation's cyber space?
Well, I spent the longest year of my life working onsite at DHS NCSD at the GSA building at 7th and D, SW. Kiss and tell really seems to be the done thing these days – even the former vice president's firm upper lip is flapping. Without going into details, I can say that the organization was the most dysfunctional I have ever encountered in 20 years in the government IT community. Vicious infighting among the appointees, career/contractor wrestling matches, non-profit calculated ambivalence, government affairs operatives that leak like sieves to The Washington Post, directionless public-private partnership meetings, the list goes on. I sincerely hope that things have changed significantly since my time at DHS – a time when I watched the hard work and initiative of talented government professionals rewarded with distrust and derision. I believe that this dysfunctionality is the fundamental source of the national cyber security problem.
If you take exception with my title – you absolutely should. However, the undeniable truth is that our failure to act appropriately is ceding control of our nation's cyber infrastructure to our adversaries. The definition of insanity is to assume the same behavior and expect a different outcome. We have ample documentation of the problems. We have no shortage of initiative, innovation, and integrity in both the public and private sectors. Why not define a budget and challenge our best and brightest to propose a series of competing holistic solutions – and evaluate those proposals based on their merits? And then move swiftly to operationalize. It’s time to completely change the race – not merely change the silks and ride on. Considering the economic gravity of America's Internet infrastructure, it's time to learn from the past – not gamble with our future.