Shostack + Friends Blog Archive


An Open Letter to the New Cyber-Security Czar

Dear Howard,

Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.

There are important things which you can achieve which are aligned with President Obama’s agenda and orientation that aren’t in the current strategy to secure cyberspace. They’re opportunities which have arisen in the last few years to increase transparency and accelerate new research that’s focused on security outcomes, rather than process.

Over the last 5 years, in the wake of California’s 1386 and ChoicePoint’s big breach, we’ve learned about thousands of security breaches. We’ve discovered that most of our fears don’t come to pass. Companies don’t go bust, and customers don’t flee. It’s time to embrace transparency, and admit that we all have security failures. Only by studying what goes wrong can we really expect to improve. So the first step is to de-stigmatize failure. That’s not to say accept failure, it’s disclose them, discuss them, and focus on what we can improve. You can set the right tone from your bully pulpit.

Next, as the nation’s cyber-security advisor, you’re in a position to push the heads of the federal agencies to open up about what they’re doing and how it’s working out. The data is already being collected by US-CERT, it’s a matter of transparency. Of course, some subset of the data will need to be appropriately redacted, but let’s embrace a need to share in information security. The President has committed to getting our data online, let’s make sure security data is included on (I’ve already sent a request for this to As you work to expand public-private partnerships, why not start by sharing the data that the government has? It could reset the tone of the conversation. You can also support the non-profit Open Security Foundation‘s [link to no longer works] work on [link to no longer works]. The value they deliver on a volunteer basis is amazing, and the amount that would be required to take that to the next level by making it their day jobs would be a rounding error for any of the folks you’ll be working with daily.

Finally, I’d urge you to evolve our nation’s security research agenda. There are many smart, dedicated people working in information security. Many have been promoting approaches which have yet to take hold. You must bring new voices and perspectives to research. Emergent fields like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.

Each of these steps can be taken with your budget and authorities. Together, they’ll transform cyber security into an empirical, effective and outcome-centered discipline, and that would be an amazing legacy for any leader.

7 comments on "An Open Letter to the New Cyber-Security Czar"

  • Russell says:

    Great suggestions. I might go further an suggest that Howard Schmit limit is his scope to only these items to avoid the tar pit of trying to be all things to all stakeholders.

    He should state clearly: “I don’t own responsibility for cyber security, for the government or the nation. Each entity continues to own responsibility for cyber security, individually and collectively. My only contribution is to improve the quality of information to drive collective decisions, actions, and incentives.”

    I would add just one more item: measures and metrics on the people side of security management and coordination, both within specific organizations (public and private) and between organizations (including collaborations, joint ventures, coordinating committees). This would include recruiting, performance management, organization, and also learning and knowledge management. Methods exist for this, but have never been applied to cyber security, to my knowledge.

  • jared pfost says:

    Hi Howard, I’m sure you have the new skool blog on your rss feed so I wish you the best. To continue the transparency theme, you have a great opportunity to be the carrot in this process. In addition to CERT related data and people metrics, advance the measurement work started at NIST SP 800-55 and wrap a measurement and communication process around it (measure the measurement (has a nice govt redundancy theme:)). You don’t have to be accountable to celebrate those who have mature programs and spotlight those who don’t. Perhaps you could use the GAO to scale, the OMB as a stick. Eventually you can tie program and measurement maturity to your breach data. You’ll be sitting on an information goldmine.

    The public doesn’t need to see all the dirty laundry, having each group understand their target metrics i.e. acceptable risk, and progress is a great step.

    ps. please don’t include control checklists or employee certification requirements in legislation to manage risk. Use incentives to drive behavior e.g. OMB smack-down or leadership reassignment for breaches/failures.

  • Alex says:

    Hi Howard,

    Again, congratulations on your appointment. The one thing that I would hope you would drive during your tenure is the evolution of security standards. An expanded piece is here:

    In summary – Standards have limited use over time and incapable of evolving unless they include provisions for the collection and sharing of data, and their oversight/governance body uses that data to change the standard as the threat landscape changes.

    Your influence in this regard, on NIST especially, would ensure that however long your tenure, and whatever else happens, you will have significantly moved our industry forward.

    All the best,


  • Dear Howard:

    I’ll keep it short.

    Let me know how we can help you be successful; it’s a two-way street. No preaching here.



  • Tony says:

    I am pretty sure he reads these posts and not only appreciates the comments but takes them to heart. One thing for sure, they can’t continue doing the same things and expecting different results. Standards, NIST 800 series and metrics have to evovle to keep pace with what is going on in the real world beyond the labs. Hoff and others like those that have posted here will be who makes the difference not a single office in DC.

  • Rob Lewis says:


    “One thing for sure, they can’t continue doing the same things and expecting different results.”

    Shades of Marcus Ranum, you are right about that Tony, but of course the only answer they can think of is to pile more layers of what is not working now.

  • Adrius42 says:

    There have already been a number of great comments added to this text already.

    Repeating /Hoff’s offer, how can we help?

    As an active member of the Board of Management of the Jericho Forum ( )
    I would clearly commend you to read “The Jericho Forum Commandments” [link no longer works]
    and understand the various concepts embedded in the Collaboration Oriented Architecture.

    One request:
    Please do not follow the path of the physical security world that is implementing “Full Body Scanners” as a response to the “Christmas Pants Bomber” in the clear knowledge that the same scanners would not have caught him. We have similar behaviours in the Information Security world.

Comments are closed.