State of Emergency: Government Cyber Security Efforts are Missing the Boat, or Just Plain Missing

Posted on August 24, 2017 by Tony Kontzer

Getting to the bottom of just how problematic government approaches to cyber security are is like peeling away the layers of an endless onion. The more you learn, the more you realize this is a problem that's not going anywhere because it's not being tackled adequately.

Starting at the highest level possible, the United Nations recently released its second annual Cyber Security Index which indicated that just 38 percent of the world's countries have a published cyber security policy, and another 12 percent are in the process of developing one. In other words, half of all countries have no cyber security policy or any plans to establish one. Yikes.

What's worse is that having a policy in place doesn't even mean a nation has its cyber security act together. Consider the U.S., where despite having a reasonably mature policy, Secretary of State Rex Tillerson is considering shuttering the Office for Coordination on Cyber Security Issues, which opened under former President Obama in 2011.

Created to ensure that the U.S. was acting in concert with other countries in creating behavioral norms, encouraging dialog and forming cyber security responses, the office is expected to be folded into the State Department's Office of Economic and Business Affairs. That means the cyber security coordinator would no longer report to Tillerson, who apparently doesn't want the security buck stopping with him.

The existing cyber security coordinator, Christopher Painter, clearly saw the writing on the wall. That's the only logical conclusion to draw from the timing of his decision to leave his post as of the end of July.

Given the scope of the cyber attacks that have victimized governments in recent months — from the WannaCry ransomware attack to the alleged Russian tampering of our election system — closing the cyber security coordination office, should that happen, would seem to be a questionably timed decision. Increasingly, attacks affect multiple countries, and that means better cooperation is needed between governments to prevent attacks from spreading and threatening the global economy.

Government security leaders should be excused if they feel like waving a magic wand and making the issue go away; in fact, the desire to make cyber go away is nothing new, and has likely been felt by the CIO and CISO of every company that's been hit by a breach in recent years. But that desire gives way to the unavoidable realization that breaches don't just go away. And when they inevitably happen, they must be investigated and analyzed until the truth is known, and the hole that led to the breach is properly plugged.

Along those lines, it would behoove governments everywhere to adopt a more proactive approach to security. Private industry by all accounts has done a far better job of not only investing in and ensuring in solid security practices, it also done a better job of collaborating and sharing data to protect not just themselves, but the larger ecosystems in which they operate. As such, it's in the best interest of government IT departments to take a page from the private sector playbook and look upon cyber security as an important tool of governing, rather than as an unwanted cost center wrapped in red tape.

In a recent piece for InfoSecurity Magazine, Ian Kayne, cyber security practice lead at Mason Advisory, argued that by aligning cyber security strategy with corporate strategy, organizations can establish security as a powerful business enabler. One of the steps to accomplishing this, Kayne writes, is for organizations to accurately assess their cyber security performance.

Clearly, this has not been the governmental approach. From closing cyber security coordination offices to refusing to look upon security as an enabling activity, nations are doing their best to look the other way, hoping that cyber events don't come to roost within their borders. But come to roost, they will, and the choice is simple: Do what they've been doing, and look silly in the end, or adopt a private-sector approach to cyber security policy and get on top of the issue sooner rather than later.

Contributors

Tony Kontzer

, RSAC

government regulations

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.