Shostack + Friends Blog Archive

 

Dear Mr. President

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.”

Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? Do we have a program where security experts can gain access to the repository, to learn from it?

I’ve written extensively on this problem, here on this blog, and in the book from which it takes its name. We do not have a repository of mistakes. We do not have a way to learn from those mistakes.

I’ve got to wonder why that is, and what the President thinks we’re doing to learn from our mistakes. I know he has other things on his mind, and I hope that our officials who can advise him directly take this opportunity to say “Mr. President, we do not learn from our mistakes.”

(Thanks to Chris Wysopal for the pointer to the comment.)

Originally published by adam on 14 Jul 2016
Last modified on 14 Jul 2016
Categories:   government   Reports and Data   Uncategorized  

One comment on "Dear Mr. President"

  • Andre Gironda says:
    15 Jul 2016 at 5:22 am

    There are legitimate concerns about how information travels
    (Situational awareness; situational understanding)
    It has to do with the volumes of information being transmitted and who has access
    (see FAIR, OpenGroup O-RA — avoidance controls)
    He doesn’t think the government has done its job protecting our/its information
    (Governance, policy, law, promulgation, budget)
    He thinks we are going to have to do better and learn from our mistakes
    (We must run table-top exercises and live-test simulations in the style of the MITRE Cyber Exercises Handbook in order to generate After-Action Reports)
    We know there has been hacking and we know there are problems with how our people handle our information
    (Ownership, authority, accountability)
    The controls necessary to protect our data are being examined thoroughly and he thinks it will be a work-in progress (WIP) over time
    (Leaders have been assigned but they must deliver. However, we are in the early stages of a Kanban-style effort that is not ready to actually stave the current-running wounds and damage being taken)

    Pretty fucking clear to me, Adam. Love President Obama!

Comments are closed.