When all else fails (like cybersecurity), appoint a commission

Donilon and Palmisano — it sounds like a steak house. But Tom Donilon is a former national security adviser. Sam Palmisano is a former IBM CEO, who looks kinda like Treasury Secretary Jack Lew. They’ll co-chair a commission to recommend to the next President what should be done to improve national cybersecurity.

Everyone knows what happens to important, self-conscious reports from presidentially appointed commissions. Especially commissions appointed by a final-year President for use by his successor.

If the next...

READ MORE

Donilon and Palmisano — it sounds like a steak house. But Tom Donilon is a former national security adviser. Sam Palmisano is a former IBM CEO, who looks kinda like Treasury Secretary Jack Lew. They’ll co-chair a commission to recommend to the next President what should be done to improve national cybersecurity.

Everyone knows what happens to important, self-conscious reports from presidentially appointed commissions. Especially commissions appointed by a final-year President for use by his successor.

If the next President is a Republican, that advice will be treated like slimy bologna. That might be a good thing, because federal agencies now have so many laws, guidances and rules for conducting cybersecurity that it’s a wonder CIOs — who are responsible for cybersecurity — have time to do anything else.

The commission is charged with making its recommendations by Dec. 1. I’m guessing that’s the time when the Center for Strategic and International Studies will come out with its Cybersecurity for the 45th Presidency report, just as it came out with a 44th presidency version in 2008. It was full of recommendations, some of which the Obama administration has followed.

President Barack Obama’s executive order creating this commission came days after the budget request for 2017. As reported, the administration wants $19 billion, a third more than 2016. The request referenced last October’s refresh of the cybersecurity strategy and implementation plan, or CISP, for the government. The new CISP itself was supposed to be the work of more than 100 “experts” (a favored word these days) from across the government and industry. The CISP is a baroque thing, combining reporting mandates, definitions of incidents, accelerated deployment of the Homeland Security Department’s EINSTEIN systems, workforce hiring and training, and on and on. Page after page of bullets, numbered lists, charts of milestones, references, acronyms.

One example is this sentence from a paragraph about network segmentation as a shared service:

If operationalized, all Federal organizations would be asked to provide recommendations to the network segmentation services management offering to guide the proper implementation of network segmentation within an organization.

Huh?

Now a new commission will come up with a whole new set of recommendations. True, its mandate is far wider than federal agency cyber practices. In fact, it’s rather ambitious, going so far as to “[foster] discovery and development of new technical solutions.” Sort of sounds like getting the rising oceans to recede. But the commission is also following years of policy development aimed at getting the public and private sectors to cooperate more on cyber. What ever happened to that?

The one virtue in this precariously tall stack of prescriptions is that, taken as a blob, it recognizes that cybersecurity is both something you buy and something you do. So it takes the right people, products and practices. My worry is that all of this guidance will collapse under its own weight.

More commentary from Tom Temin