The short lived CISO Exchange advisory board met its demise earlier this month when Congressman Tom Davis and other officials realized that it actually could be perceived as a way of buying access to high-level government officials. No sh-t, Sherlock. At least Davis wasn't afraid to act once he realized that. More important might be making sure it doesn't happen again.
A couple of years ago, a Japanese delegation asked me to come with them to judge the validity of what various U.S. government and corporate entities told them about the latest security initiatives. One meeting we had stood out because of the high "BS factor."
The stop at the Internet Security Alliance [ISA] showed me how people were misrepresenting apparent public-private partnerships. The alliance is a partnership between the Electronic Industry Alliance, a lobbying organization, and Carnegie Mellon's Computer Emergency Response Team [CERT], which is significantly funded by the Department of Defense and is generally perceived to be an unbiased center of excellence. I didn't know what to expect, but it was quickly obvious that the ISA representative was trying to make the fact-finding meeting into a sales pitch. What struck me as most heinous was that joining ISA would entitle you to advance, taxpayer-funded research bulletins from CERT that weren't yet available to the public.
The worst part was when the ISA person, in front of the CERT representative, implied that ISA members were able to prevent the Code Red attack while others were not. He stated that ISA members were given the CERT warnings of the underlying vulnerability and mitigation procedures weeks before the general public. That may have been true, but the fact is that the Code Red attack was not launched until six months after the general public received the warning, meaning that the advance warning was worthless. Either way, the implication that you have to pay as much as $70,000 [top cost of an ISA membership] to receive critical warnings developed by a government-funded organization is outrageous.
No one, however, should be surprised that a group billed as a public-private partnership could be seen as intended to buy access to government participants. Do you think that traditionally tight-fisted government integration firms were willing to pay $75,000 [CISO Exchange] to join an organization for the greater good? Do you think the money came out of relatively small R&D budgets or virtually unlimited business development budgets? Do you think it is a coincidence that O'Keefe & Associates, the CISO Exchange organizer, is a marketing and PR firm?
Many professional organizations thrive on their marketing potential for commercial firms. This, however, can be a generally synergistic relationship when the cost of entry is not exclusive. Unfortunately, the abuse of the phrase "public-private partnership" is becoming rampant around the information security field.
The only protection afforded to our industry and poorer vendors is for the officials with influence, such as Davis and the federal CISOs, to be the gatekeepers. Frankly, many government and private executives love to be sucked up to and appreciate being invited to be key figures in such "partnerships." It is with great pleasure that I am surprised by the apparent integrity of Congressman Davis in realizing what he got himself involved in and publicly doing the right thing, albeit a little late. Now that he has seen the light, maybe as chairman of the House Committee on Government Reform he can set standards for government CISOs so that they aren't held out as carrots for salivating government contractors for the benefit of the latest overpriced "public-private partnership."