The Expert's View with David Matthews

Open Letter to Feds from the Hinterland

Heartfelt Plea to Tame Government Regulation
Open Letter to Feds from the Hinterland

Dear Federal Government:

As an employee of a local government information security organization and leader of regional public/private sector information sharing and collaboration efforts, I implore you to consider a new approach to our joint efforts to secure information infrastructure.

See Also: Keeping Your Side of the Street Clean: 5 Cyber-Hygiene Facts You Wish You Knew Earlier

Here in the trenches, the situation has become extremely serious and we're losing the battle to an adversary who's becoming more agile, determined and sophisticated. We no longer operate from a position of defending our perimeters; instead, we assume breaches will occur and have taken an information risk management approach to protect our information assets.

Though you and some of your industry collaborators, such as the Payment Card Industry, are well meaning, you've mostly created regulations to secure the computing environment, efforts that address the old paradigm of a layered, perimeter defense. This approach has failed to increase security for a number of reasons:

  • Generic regulation cannot address the complexity and variety of risks to any specific organization, industry or region;
  • Efforts to comply have become a risk unto themselves as organizations divert limited resources to avoid sanctions from the regulatory bodies;
  • Regulators and systems are not agile enough to adjust to the ever changing threat landscape, and
  • Only the organizations themselves can develop effective mitigations to the risks they deal with every day.

The best thing you can offer to those of us on the battlefield is quite simply research and development support and funding. There are some great examples of the efficacy of this approach that have taken place in the last few years. The Department of Homeland Security's Science and Technology Directorate, for instance, has funded and helped develop tools used to assist in the detection and prevention of botnet activities, contributions that effectively mitigate real-life threats used by organizations in a wide variety of industries.

Regulations have a place as suggestions of possible industry best practices, but in the end they do little to increase security of the information infrastructure. For instance, breach legislation before Congress calls for greater penalties without offering any funding, research or solutions to assist in the avoidance of breaches. It's an unfortunate case of creating legislation and regulations that are all stick and no carrot.

Please consider moving federal government toward a more supportive and collaborative stance with those of us in the hinterlands. This change would result in much more effective solutions to the problems we deal with every day.


Dave Matthews

David Matthews, CISSP and CISM, is the deputy chief information security officer for the city of Seattle and chairman of the Northwest Alliance for Cybersecurity, which promotes regional cybersecurity programs.

About the Author

David Matthews

David Matthews

former Dir. of Incident Response, Expedia; Principal Consultant, Public Sector Cyber Security Contracting Services

David Matthews has worked in the information technology (IT) field since 1992. In early 2005 he was selected to be the first Deputy CISO for the city. In his work for the city he developed and created an incident response plan that is compliant with the National Incident Management System (NIMS)/Incident Command System (ICS); updated and extensively rewrote the city's information security policy; and created and taught training courses on information security and forensics. He most recently created an IT primer for the city's law department as part of his collaboration with them on e-discovery issues.

Matthews is the public-sector co-chair of the U.S. Computer Emergency Readiness Team (US-CERT)/Department of Homeland Security (DHS) sponsored North West Alliance for Cyber Security (NWACS). With NWACS he has worked with the Pacific Northwest Economic Region (PNWER) nonprofit to sponsor information security training for Supervisory Control and Data Acquisition (SCADA) operators and managers.He is also the chair of the local Critical Infrastructure Protection subcommittee of the Regional Homeland Security team, and also is a member of the American Bar Association's Science and Technology and Electronic Discovery committees.

David holds the titles of Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Digital Recovery Forensics Specialist (DRFS), and CyberSecurity Forensic Analyst (CSFA).

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.