How Many Open Letters To Howard Schmidt Do We Need? Just One.
My friend Adam at the The New School Information Security Blog wrote An Open Letter to the New Cyber-Security Czar:
Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.
Adam’s thoughtful post was chock full of interesting points and guidance associated with what he and others think Howard Schmidt ought to consider in his “new” role as Cyber-Security Coordinator.
My suggestion was a little more simple in nature:
Dear Howard:
I’ll keep it short.
Let me know how we can help you be successful; it’s a two-way street. No preaching here.
Regards,
/Hoff
In addition, here’s my simple open response to all those who have suggestions for Howard — it’s not an attempt to be self-righteous, critical of others or antagonistic — but I, like Adam, am amazed at how cynical and defeatist people in our community have become.
If Howard called me tomorrow and asked me to quit my job and make sacrifices in order to join up and help achieve the lofty tasks before him for the betterment of all, I would.
Guaranteed. Would you?
I’m glad you stepped up, Howard. Thank you.
/Hoff
No I definitely wouldn't. It would appear noble to step into the breach and fight the good battle. Unfortunately, having worked extensively in government circles I know that there are thousands of systemic and organizational problems that aren't going to be solved by an office without budget or authority. Telling Agencies and Defense Contractors to do something differently when it's in their vested interest to continue burning money and creating problems is as useful as battling wind mills.
I think Matthew is correct unfortunately, and he is only addressing inertia and cultural change, not the fact that the security model is broken.
Howard's only hope is to find someone in government who has been successful, praise the sh*t out of them, and somehow leverage that knowledge and achievement to the max in order to motivate people to copy success, as he has no clout to embarrass people or hold anyone accountable.
I fight this everyday – people telling us what we can't do instead of saying 'how can we help you succeed?'. It's an important shift from pragmatism to progress. That said, the behemoth that is the Federal space is an oil supertanker at sea….one guy on the bow saying 'turn left' won't get the intended results unless he's got someone in the wheelhouse at the helm.
I'm not sure its pessimism to express concerns about the very real constraints facing our new CyberSecurity Czar, or to have a discussion about whether this was the right choice.
I've read some interesting opinions, but not nearly enough as most posts are glib congratulatory messages. I would almost say that those who point out issues like lack of budgetary control, confused reporting structure, that this is a second appointment to the same position, and so forth are being quite rationale in their analysis (as opposed to blindly praying for someone, anyone, to be the CyberSecurity Czar.
Its also reasonable to question whether this is really a priority with the amount of time it took between announcing the position and actually staffing it.
No other government official gets a free pass. Don't we want infosec to be taken as seriously as those disciplines?
From what I understand, Howard is working first on government cloud initiatives. Free work from Beaker might be just what he needs.