According to Andy Purdy, the DHS is ready to "git 'er done" in terms of ramping up the nation's cybersecurity posture. From PC World:
'A draft of a national infrastructure vulnerability assessment, including a cybersecurity assessment, should be completed within a couple of months, and the DHS Internet Disruption Working Group is working on a plan for Internet recovery after a major attack... The cyber division is also supporting efforts to push IPv6... the division is encouraging software vendors to create more secure products, and it plans to renew efforts to work with other agencies and private companies to identify the most significant cyberattack possibilities' (Purdy)
So, to sum up from this and other sources, the plan is:
- IPv6
- "Wargame-style" simulation exercises
- Get software/hardware vendors to reduce vulnerabilities (specific plan forthcoming)
- Hire a telecom guy
- Develop a disaster recovery plan
- Do a vulnerability assessment
The bottom two seem like good ideas to me, but lest we give the DHS too much credit, keep in mind that they were specifically mandated by executive order to be complete by 2003 and that we're still waiting for it to get done. Other than the bottom two, I'm thinking that the DHS plan has some major flaws. After all, do they think that they're going to get IPv6 rolled out across the US single handedly? Are they going to somehow get every software vendor to change the way they do business to fix software vulnerabilities? Clearly not. Call me a skeptic, but I'm disappointed in the DHS plan, no matter what the spin from the industry press.
In the aftermath of Katrina, after it comes out that the DHS knew for at least a year about the internal problems plaguing it, why are we still seeing lack of clear, accountable, direct steps from the DHS? Continued statements about how disaster recovery plans, asset inventories, and vulnerability assessments are "forthcoming" do not inspire confidence - especially since these tasks are 3 years overdue. I've missed some deadlines in my day, but I think after being a year or so late (let alone three years,) I'd start doing some major soul-searching on how things came to be in that state and I'd probably demand some accountability.
And the DHS hiring more staff to "coordinate"... It seems to me like they already have a bunch of people coordinating and not enough people getting work done... Setting impossible goals like "switch to IPv6" or "fix software vulnerabilities" doesn't help me sleep soundly at night - if the DHS can't get the simple stuff done like determining what systems they have deployed or figuring out their network topology, how can we believe they'll fix the big stuff like changing the nature of software development the world over?
Posted by Ed at October 3, 2005 12:59 PM