The new Secretary of the Department of Homeland Security addressed the Commonwealth Club recently. I would have fallen asleep before he got to talking about cyber. (For some reason government folks refer to cyber security as "cyber". It sounds strange and jingoistic. I can't figure it out). So I thought it would be valuable to publish the parts of his speach that related to "cyber" here.
As usual the DHS approach is to lump all infrastructure together. And just as the FBI lumps child pornography into the same enforcement arm as distributed denial of service attacks and extortion, DHS lumps the electrical grid, agriculture and water in with cyber security.
The rest of the DHS position is still consistent with what it has been before: a heavy reliance on industry to fix itself. The focus seems to be on response and not protection. CERT is helpfully issuing alert levels. I maintain that this is just an expensive add on to security awareness training.
My advice to DHS: heal thyself. Take immediate steps to:
1. Patch and upgrade every single windows machine within DHS. Get them to Windows XP SP 2. 2. Find and review the security settings and vulnerabilities for every single server and router within DHS. Fix the insecure machines. 3. Immediately discontinue the use of insecure protocols within DHS. Start with Telnet, TFTP, and FTP. 4. Deploy firewalls between every IT jurisdiction. The firewalls should "Deny all that is not explicity allowed". 5. Find and encrypt every data store of personal information.
After these five steps and after going through the solid wall of resistance to change the DHS will be ready to confront issues like strong authentication and patch management.
Strong medicine? Harsh criticism? You bet. But, you have to take your medicine.