The "Best Corporate Security Blog", went to Proofpoint for their Email Security Blog. The other contenders in my category included two of my favorite security bloggers -- Brian Krebs for his blog Krebs on Security, and fellow spam-researcher Graham Cluley for his Blog at Sophos. Bruce Schneier's Schneier on Security and Securosis rounded out the ballot for Most Popular Security Blogger.
This week I'll be summarizing some of the RSA Keynotes, starting with Howard Schmidt's RSA keynote
Howard Schmidt - U.S. Cybersecurity Coordinator
I was excited when the announcement was made that Howard Schmidt was the new Cybersecurity Coordinator for President Obama, primarily because I've had the chance to see this man's passion for cybersecurity. Howard and I are both InfraGard members, and one of the most impressive times I saw him was in Knoxville, Tennessee where we were back-to-back speakers for the their "October is Cybersecurity Awareness Month" conference. Not only was Howard speaking there, he actually had 40 speaking engagements during the 31 days of the month to address audiences about the importance of Cybersecurity Awareness! I can't think of a more energetic or appropriate person to be in this new position!
Howard began his talk with a discussion of the evolution of cyber security, comparing it to the evolution of fire fighting. He described how after people got tired of watching buildings burn down, we started building them near rivers so we could have a ready source of water to try to put out the fire. Then we had a volunteer fire department that could help prevent things from burning to the ground. We trained them how to put out fires. Later we started looking at how to keep fire's from being so devastating. We came up with "building codes" to make less flammable buildings. Why do we still have anything that can catch on fire in a building? Because we have to. Since we couldn't stop every fire, we put sprinkler systems in buildings. Will things still catch on fire? Sure. But hopefully we'll put them out quickly.
Then he made all the similar cybersecurity comparisons, leading up to his new role in the administration, representing President Obama, and working with Intelligence, Law Enforcement, Defense, and civil agencies to try to build a Secure, Trustworthy, and Resilient computing infrastructure.
In many ways his new job is to respond to the Near Term action items on the Cyber Policy Review completed by Melissa Hathaway. He used most of his talk to provide an update on the ten items:
1. Appoint somebody - (Howard)
2. Update the strategy -
3. Bring private industry into the discussion
- new FISMA performance metrics
- acknowledges that you can be FISMA compliant and not secure
- new guidelines work toward real-time security awareness
4. Appoint privacy & civil liberties person
5. Review legal issues regarding their work
6. Create a national and international security awareness policy
- national awareness (DHS)
- formal cybersecurity education (DOE)
- federal workforce structure (OPM/DOD)
- national workforce training (DHS/DOD/DNI)
7. International cybersecurity policy
8. Cybersecurity Incident Response Plan
9. Develop a framework for Research & Development (NIST, DHS S&T)
10. Cybersecurity based identity management strategy
(the fully described 10 action item "Near Term Action Plan" is given in the 76-page Cyberspace Policy Review final report
He also discussed the "open information" approach of President Obama's administration. I recall attending a briefing by Cornelius Tate in 2008 where he talked about EINSTEIN and the Trusted Internet Connections program for one of the first times publicly. Even then, all he could say about the other ten initiatives of the CNCI was that they were classified.
The Comprehensive National Cybersecurity Initiative (CNCI) has been reclassified so that we at least know what the twelve areas of the CNCI are. (These are now available on WhiteHouse.gov/cybersecurity/ => CNCI (html) or CNCI (pdf))