WAPO piece on the search for federal cybersecurity by way of reader David Emery.
A wonderfully summarizing segment:
Indeed, one sign of the private sector's engagement is an increase in the number of leading technology firms that, spurred by government contracting rules, have adopted a common lexicon to describe computer configurations and vulnerabilities. The increasing adoption of these protocols by firms such as Symantec, McAfee and Microsoft is making more feasible the automated monitoring of networks to detect and patch vulnerabilities more rapidly, officials say.
The Department of Homeland Security - which is responsible for protecting civilian government systems and helping to secure commercial networks - would like to see such "continuous monitoring" applied across the entire federal government and beyond, said Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate.
"We certainly want to build out a fundamentally more secure ecosystem that can be adopted by the private sector as well," he said.
Despite such advances, experts say that DHS remains beset by bureaucratic challenges, a lack of authority to demand results from civilian agencies, and a plethora of other priorities - including combating domestic terrorism, securing the borders and enforcing immigration laws.
DHS has struggled to implement Einstein 3, a program that is supposed to detect and block malicious software before it enters government networks.
More than a year after the department said it was moving forward, the program remains in pilot mode, in part because DHS has been unsure whether to use technology from private industry or from the ultra-secret National Security Agency. The agency has powerful electronic surveillance capabilities, but its involvement might raise privacy concerns.
You have everything here in microcosm: the positive role of creating a common pubic/private-sector language, a great role for the government to play; the difficult choice of militarizing (intelligencizing?) the technology to go for more security or keeping it commercial to better manage boundary conditions with the private-sector-dominated critical infrastructure?; the privacy fears; the unclear rules; etc.
Nice piece.