Will the Hathaway report lead to action?

President Obama in early February assigned Melissa Hathaway, a former consultant at Booz Allen Hamilton, to review the status of the nation's cybersecurity defenses, processes, and organization and report back to him with the findings 60 days hence. The president now has the results of the Hathaway study and the findings are likely to be made public this week.

Melissa Hathaway

(Credit: BusinessWire)

While anticipation around the Hathaway study has reached a fever pitch, the report itself is bound to be anticlimactic at best. Why? Much of the detail will be deemed as "classified" so the report conclusions will only be communicated in general terms. What's more, cybersecurity is not exactly an esoteric topic. The Center for Strategic and International Studies released a report of recommendations for President Obama in December 2008 while the Dartmouth Institute for Information Infrastructure Protection released its own cybersecurity report in February. Finally, there was the heavily publicized resignation of former director of the National Cybersecurity Center, who publicly accused the NSA of trying to control the whole cybersecurity enchilada.

Given all of this public discussion, the security community is fairly certain about the Hathaway report findings and recommendations. At a high level, the report will highlight the following conclusions and recommendations:

• People. There are too many people doing redundant tasks in some areas and too few in others. The report will recommend a new position reporting to the Office of the President responsible for cybersecurity oversight.

• Process. The Federal Information Security Management Act of 2002 is badly broken and needs to be aligned with departmental missions and not check boxes. It is also likely that the report will call for new best practices from the National Institute of Standards as well. Finally, the report will link cybersecurity and procurement with new security requirements for federal technology suppliers.

• Technology. While the federal government has spent billions on security technologies over the past few years, the report will likely recommend even more. For example, Hathaway may recommend federal funding for digital identity projects like the RealID Act and Homeland Security Presidential Directive 12.

Finally, the report will disclose that communication, cooperation, and technology integration between the public and private sector need to be updated, improved, and funded.

These are important matters indeed but none of the points here are new and we are burning precious cycles studying and discussion the same issues over and over. When your house is on fire, you don't stand around and debate whether the cause was faulty electricity or arson--you call 911 and get out as fast as you can.

Talk (and written reports) is cheap and there is far too much of it going on inside the Beltway. Let's hope that this report leads to a Trumanesque management philosophy where President Obama declares that, "the cybersecurity buck stops here," quickly initiating a series of actions, resources, and legislation to finally address these critical vulnerabilities. If the report recommends further study or a presidential commission, call your congressman and demand action.

[DomLevin]

I agree that FISMA of 2002 didn't achieve its intended target. Hopefully the new laws will look at some of the great work done by the SANS Institute around "Consensus Audit Guidelines" (see
http://bitly.com/Xh8L7). The Guidelines are good common sense and include controls around access control, secure configurations, boundary defense, log management, application software security, vulnerability testing and remediation, dormant account monitoring and control, anti-malware, wireless device control, data leakage protection, incident response, data recovery and security skills assessment.