Former cybercop gives administration D-minus on cybersecurity

Despite a number of fresh laws and executive orders in the last decade, not much has switched in the government’s treatment to improving cybersecurity. For example, the president’s Cybersecurity National Activity Plan has remarkably few fresh ideas. Besides creating another commission to explore the problem, the president’s plan is little more than a list of familiar measures — more information sharing, more hiring and more spending on programs that produce little evidence of any real security value.

The most impactful switches in cybersecurity have been compelled on the private sector by regulatory agencies. While necessary, the government’s use of regulatory authorities has been duplicative, uncoordinated and very inefficient. As such, the security value of compliance spending for most companies is questionable.

Specifically, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act each impose requirements. The Securities and Exchange Commission and many other agencies have also flipped out standards. Since most large enterprises fall under more than one regulatory agency, the present regime creates almost unmanageable compliance requirements.

For many cybersecurity professionals, the concentrate on compliance actually detracts from efforts to implement effective cybersecurity measures. For petite and mid-size businesses, the cargo can be breathtaking.

The government needs to do much more to consolidate and streamline cyber regulatory requirements and standards so that companies can concentrate on implements and processes that work, rather than audits and reports that are mostly duplicative and provide little protection.

The best improvements in the government’s response to the cybersecurity challenge have been implemented by the military. The consolidation of the cyber compels for each branch (Army, Navy, Air Force and Marines) into a single cyber directive goes a long way toward integrating and synchronizing U.S. cyber power. In addition, the Defense Department has ramped up training to produce thousands of top-tier cyber warriors. This may be the one real solution to the enormous request for skilled cybersecurity professionals in civilian government agencies and the private sector.

Overall, I would give the Obama Administration a D-minus on cybersecurity.

Over the last seven years, the government’s cybersecurity shortcomings — made evident by the catastrophic breach of the Office of Personnel Management and the invasion of White House and State Department unclassified systems — were far worse than anything in the private sector. Instead of bold, proactive measures, the government took a reactive treatment.

By not shifting significant resources and aligning agency responsibilities, Congress shares much of the blame for the government’s mediocre response to this significant security challenge.

It’s hard for the administration to coax and cajole the private sector into making the necessary investments in cybersecurity when the government itself can’t seem to get it right.

Leo Taddeo is the chief security officer for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo is a former special agent in charge of the Special Operations/Cyber Division of the FBI’s Fresh York Office. Prior to Cryptzone, Taddeo led more than four hundred agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high-profile cases, including Silk Road, Blackshades and JPMorgan.

Related video: