The response to Triumfant CEO John Prisco’s less than laudatory reaction to the White House Cybersecurity Policy Review has been interesting to watch. To John’s credit, he did not fall into line and unilaterally sing the praises of the document or the President’s speech, and his was one of the first voices in the IT security market to express practical concerns over the review. One of John’s primary concerns was a lack of urgency in regards to taking some real and concrete action sooner rather than later given the depth of our current problems and vulnerabilities.
One good example of action over rhetoric was made public Wednesday, when the National Institute of Standards and Technology (NIST) announced that they were teaming with the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) and National Institute of Standards and Technology (NIST) to work with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign on an initiative to “enhance the security and stability of the Internet”. Specifically, the initiative is working to bring a new security technology called Domain Name System Security Extensions (DNSSEC) into use to address known vulnerabilities in the DNS protocol. The working group plans to deliver an interim approach to DNSSEC by year end and continue to collaborate with U.S. agencies and private sector to further refine the technology going forward.
There is a lot of good in this little announcement. One, they are addressing – not studying or measuring or debating – a real problem. Two, this is a collaboration of multiple government entities and the private sector, proving that it can be done without dissolving into Lord of the Flies. Third, they are moving forward to deliver something sooner rather than later, and will refine as they go. It appears they have a solid plan with dates and deliverables, and have the proper commitments in place to deliver to that plan.
I have heard John say this more than once this week and I believe he is dead on right: we have ceded the luxury of debate and we need to move quickly to action. In regards to U.S. cyber security, the problems we face are deep enough that we don’t need to waste time measuring their depth before we start to fix them. Action is required and required sooner rather than later, which is why John rightfully asked why the review was announced without a cyber czar selected and ready to get started. Hats off to NIST and the others behind the DNSSEC initiative, as they are moving forward at a time when more walk and less talk is the order of the day.