…Another similiar post which you might…

I think you have brought up a good point. As I’ve been thinking about it something came to mind and that is that this is a position paper and a study put out by the White House. It was also put out after several bills have been read in and referred to committee so it was released with full knowledge of what was contained in those bills. The bill that I’m thinking specifically is S 778 which is intended to establish the Office of the National Cybersecurity Advisor within the Executive Office of the President. Aside from establishing the office, it also gives the advisor the authority that you’re looking for. In Section 1(b)(4) it says that the advisor “shall review and approve all cybersecurity-related budget requests submitted to the Office of Management and Budget.”

Now the way that I’ve looking at it is that the review is that it is really more of a direction paper and that the details – at least on how everything will be organized and interrelated will probably come from the legislation. With S 773 (Cybersecurity Act of 2009) and S 778 you can start to put together a rough idea as to how things may pan out. There are issues, as Rybolov pointed out on his analysis of S 773, with who is responsible for what now as opposed to who is being given the responsibility in the bill but I’m sure we’ll have a better picture as the legislation moves through committee.

[...] Building the architecture of the future. Under Leading from the Top, the report calls for the US to be a world leader in addressing the challenges of cyberspace. In order to do so the report states that in order to realize this goal, … [...]…

One of the disappointing parts about the recommendations in the review (which is long overdue!) is about the “policy official”

Page 8, 1st full paragraph…

“The cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally. Using interagency coordination processes, the cybersecurity policy official should harmonize cybersecurity-related policy and technology efforts across the Federal government, ensure that the President’s budget reflects federal priorities for cybersecurity, and develop a legislative agenda, all in consultation with the Federal government’s Chief Technology Officer and Chief Information Officer—along with the appropriate entities within the Office of Management and Budget (OMB), the Office of Science and Technology Policy (OSTP), and the NEC.”

It seems to me that the person in charge of cybersecurity should not be a “policy official” (one step up from an auditor IMHO) rather, this should be a CISO — a peer of the CIO and CTO mentioned in the next paragraph. In other words, our government has succeeded in burying the security function as a subordinate — not a peer — of the CTO & CIO. In short, government has blundered by adopting the strategy that we (as consultants) have recommended that industry fix — the CISO should be empowered, with a budget, and – limited – operational authority.

Mind you there are some very good things included in this study and I applaud everyone involved with it. Politically speaking this position looks like it has achieved what the Vice Presidency has achieved — it’s a bucket of “warm spit”, but without the opportunity to make it into Jay Leno’s monologue!

Vlad