http://www.scmagazine.com/ash-carter-spoke-at-stanford-university/article/411392/
Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.
A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS. And please note: none of this is new or radical.
But a read of Bruce’s articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won’t. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce — and others — have long since shown them to be in the same class as The Emperor’s New Clothes.
When the government talks of cyber-security experts it really doesn’t want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them — but consistently don’t[1] — tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting ‘uber 133z h4x0r’-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn’t make for good security[2].
Yes, a culture change is needed. But the kind of changes that the ‘insiders’ — and that goes for the media too — envision don’t really amount to a meaningful change.
[1] http://www.gao.gov/key_issues/cybersecurity/issue_summary#t=1
http://www.regblog.org/2014/09/18/18-yang-gao-and-it-oversight-report/
http://www.cnn.com/2014/12/19/politics/government-hacks-and-security-breaches-skyrocket/
[2] The idiom “rearrange the deckchairs on the Titanic” comes to mind
Or perhaps the Hindenburg.
