In a speech about cyber security delivered from the White House East Room President Obama said, Were not as prepared as we should be, as a government or as a country. This statement came as the much anticipated Melissa Hathaway's sixty day review was released on May 29. The report is titled Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure.
When President Obama announced this sixty day review it was reported to be focused on reviewing the U.S. Governments cyber-security plans, programs, and activities. So many security professionals are left feeling flat. Brian Martin from Spy-Ops said he is at a loss how we ended up with just a Policy review; it seems like a long way from the original objective. On February 9th MSNBC wrote in an article that President Barack Obama on Monday ordered a sixty day review of the nation's cyber security to examine how federal agencies use technology to protect secrets and data.
It seems that there is a discrepancy as to what was expected and what was delivered. Rumors abound that the objective was more toward that reported by MSNBC and many others. Many believe the findings painted a picture that cyber security, as assessed for this report, was so bad that the published report was either a subset of the entire report that was said to be marked For Official Use Only (FOUO) or a filler document created after a decision was made not to release the actual findings.
The term FOUO is used to identify unclassified information that is of a sensitive nature. The unauthorized disclosure of information marked as FOUO could adversely impact programs or operations essential to the national interest and security. FOUO information is distributed on a need-to-know basis. Need-to-know is determined by an authorized holder of information that a prospective recipient requires access to specific information in order to perform or assist in a lawful and authorized governmental function, i.e., access is required for the performance of official duties. It was pointed out to me that FOUO documents are exempt from requests under the Freedom of Information Act. One person I talked to said, 60 days to generate a 76 page PDF file that contained 10 totally blank pages and nothing new - give me a break! A very interesting observation at best.
On February 8th the Wall Street Journal reported that She (Melissa Hathaway) will lead a review of the government's efforts to secure computer networks against spies, terrorists and economic criminals and is expected to then head a new White House office of cyber security. The report seems to fall way short of the objectives stated above. The body of the report is less than thirty pages in reality. Perhaps the most valuable and insightful piece is Table 1 through 3: Near-Term and Mid-Term Action Plans. These plans provide a very high level glimpse into what actions will be taken to secure cyberspace and manage the threat to the U.S. economy and national security.
Is there anything revolutionary or unexpected in the report? Not really! However, many have commented that the statement at the top of page thirty-five (see below) is encouraging.
Work with industry to provide threat information and identify best practices for managing supply chain and insider risks, both from economic and threat perspectives.
Industry involvement is critical if these efforts are going to have any degree of success. The integration of supply chain to reduce the threat of compromised/counterfeit hardware and software is seen as one of the cornerstones for the security foundation necessary to safeguard our critical infrastructure and our computer systems and networks. Given that insiders are estimated at being involved in around 80 percent of security breached, defensive actions to mitigate insider threats is another cornerstone of a security foundation.