Skip navigation

Tag Archives: United States

It’s rare that two of my passions—food and information security—intersect, but thanks to the USDA’s announcement of their Blueprint For Stronger Service, I can touch on both in one post.

In 2011, the Obama administration challenged all departments to reduce costs in a effort dubbed the “Campaign to Cut Waste“. In response, the USDA has managed to trim annual expenses by $150 million through a number of efforts. One such effort is to close 259 domestic USDA offices (you can see which states are impacted below).

I’m going to expand on why this is a bad idea over at #nom later this week, but 2011 was not a good year in terms of controlling food poisoning in the United States and I don’t think closing offices will make for better oversight.

Other efforts focus on the elimination of redundancies and inefficiencies. The Blueprint has 27 initial (or to-be-implemented immediately) improvements that include the following:

  • Consolidate more than 700 cell phone plans into about 10
  • Standardize civil rights training and purchases of cyber security products
  • Centralize civil rights, human resource, procurement, and property management functions

So, they were either getting gouged by suppliers (unlikely since there is negotiated pricing for the government) or the USDA’s “cyber-security” strategy was severely fragmented (and, thus, broken) enough that even finance folks could see the problem. Regardless of the source, it had to be pretty bad to make it to the top three of 27 immediate items (and called out in every sub-department press release) and even more so amongst over 160 initiatives that are being or have been put in place.

I still cannot find the details of the plan or budget analysis that went into the focus on cyber security products (links appreciated if you have them), but as private organizations continue their efforts to defend against existing and emerging threats, it might be worth a look at your strategy and spend a bit more closely. Would your infosec department be included in a similar list if your organization went through such a sweeping cost-cutting analysis program? Is your portfolio of security products as optimized as it can be? Could you use a budget sweep as an opportunity to leap frog your security capabilities (e.g. move to whitelisting vs signature-based anti-malware) vs just pressure your existing vendors and re-negotiate contracts?

Unfortunately, the government being the government, I’m now even more concerned that the USDA may need to worry about increased infections on both the food-level and the “cyber” level.

Dr Greer [cgreer at ostp.eop.gov] is Assistant Director, Information Technology R&D, Office of Science & Technology Policy, The White House

Opening: “The expertise of the attendees is greatly needed.”

He provided a broad overview of the goals & initiatives of the federal government as they relate to domestic & international cybersecurity. Greer went through the responsibilities of various agencies and made it clear that this is a highly distributed effort across all sectors of government.

He emphasized the need for a close partnership with private sector to accomplish these goals and also the criticality of not just coming up with plans but also implementing those plans.

It really was a high-level overview and – as I point out in the twitter transcript – would have been cooler if Dr Greer did a deep-dive on 2-3 items vs do a survey. He did set the tone pretty well – we are in challenging times that are changing rapidly. We’re still fighting the fights of 5-10 years ago but are working to provide a framework for keeping pace with cybercrimminals. The government is “doing stuff”, but it’s all useless without translating thousands of pages of legal mumbo jumbo into practical, actionable activities.

The 10 minute post-talk Q&A was far better than the actual preso.

Twitter transcript:

#weis2011 Obama: "America's economic prosperity in 21st cent will depend on cybersecurity" :: sec begets growth but underscores threats, too

#weis2011 one time we never expected every individual to need an IP address, now even refrigerators have one.

#weis2011 IPv6 need exacerbated by mobile, mobile apps themselves have great benefit, but also introduces new threat vector.

#weis2011 OSTP runs phishing tests 3x year #spiffy

#weis2011 POTUS Strategy: Catalyze brkthrus for natnl priorities, promote mkt-based innov; invest in building blocks of american innovation

#weis2011 policy review (2009) themes: lead frm top;build cap for dig natin;share resp for cybersec;effective info sharing/irp; encrge innov

#weis2011 pimping the International Strategy For Cyberspace release recently http://1.usa.gov/jZXIdE

#weis2011 key "norms" in ISC report: upholding fundamental freedoms (esp speech), global interoperability & cybersecurity due diligence

#weis2011 Greer shifting to talking about legis; OSTP has been wrkng to promote good bills esp for natnl data breach rprting & penalties

#weis2011 computer fraud & abuse act is *25 years old*. We need new regulations to help fight 21st century crime < 25 years! yikes! #weis2011 FISMA shifting from compliance-based to proactive protection-based; mentioned EINSTEIN IDS/ISP #wes2011 pimping http://csrc.nist.gov/nice/ education & awareness efforts #weis2011 pimping fed trusted ID initiative http://www.nist.gov/nstic/ ; password are $ & failing; multiple accts are real & problematic #weis2011 (pers comment) the audience knows much of what Greer is saying, surprised he's giving such a broad overview vs 2/3 deep dives #weis2011 (pers comment) the efforts for fed cybesec seem waaay to disjoint & distributed to truly be effective. #weis2011 pimping fed trusted ID initiative http://www.nist.gov/nstic ; password are $ & failing; multiple accts are real & problematic #weis2011 pimping http://www.nitrd.gov/ CSIA, SSG & SCORE < much alphabet soup in fed cybersec…the letters didn't help senate.gov today #weis2011 results of many research efforts are both near & just over the horizon, but all useless if not put into effective practice #weiss2011 impt to work with priv sector on economics of legis&policy choices (immunity/liability/safe hrbr/incentives/disclosure/audit) #weis2011 need to understand market factors incentivizing hackers (valuation/cost-ben/risk-decision making/criminal markets) #weis2011 (pers comment) another poke at Microsoft when talking about server security. Major hacks of late were linux/apache/solaris. #lame #weis2011 Cyber insurance is a possibility if we can develop good quant-based risk assessment/management frameworks #weis2011 cgreer@ostp.eop.gov #weis2011 q:"where will cybersec be in 10yrs?" -cyberspace will be more resilient & trustworthy; hardening sys&nets useless w/o educatng ppl #weis2011 by 2021 we will have solved all the cybersecurity issues of 2005 < wise man #weis2011 q:"the US spends > than rest of wrld combined on cybersec but it's still just pennies. will this change?" :: it's in the proposals