As an (ISC)2 member and a practitioner of Computer Network Defense, I was a bit surprised that no one has done an (ISC)2 blog on the Comprehensive National Cybersecurity Initiative (CNCI) which was released back on 6/1/2009.  So I thought that I dip my toe into the pool and see what happens.  

Like many others, while I am cautiously optimistic about President Obama's new cybersecurity policy and the appointment of a new "cybersecurity coordinator," though much depends on the details.  From what I read of the report, there was a lot of discussion of the history of cybersecurity and the general concepts behind it, but not a lot of detail of what has to be done. 

The concepts discussed -- securing government networks, coordinating responses, working to secure the infrastructure in the private sector (the power grid, the communications networks, and so on), although I think he's overly optimistic that legislation won't be required. I was happy to hear his commitment to funding research. Much of the current technology used to secure cyberspace was developed from university research, and the more of it we finance now, the more secure we'll be in the future

Education is also vital, because there are still too many user practicing bad security practices and not enough professionals to protect the networks.

I respect the president's commitment to transparency and privacy, both of which are vital for security.

But the details matter immensely.  Too often, cyber attacks cross national and organizational lines.  There needs to be clear direction on who has the responsibilities for protecting the networks, who has responsibility and authority to direct network defenses.  For example, someone may have to make the call to shut down a network to prevent further damage, keep it running to keep vital operations going, or perform certain actions to preserve evidence to build a criminal case. 





I have never liked the concept of creating more "czars" to resolve problems.  However, we do need a leadership position with the appropriate authority to help allocate resources, resolve organizational conflicts, and provide a framework to coordinate cybersecurity at the national level, not just within a single department, agency or sector.






















More...