Posted on 03/09/2026 2:27:37 AM PDT by MalPearce
Six Policy Pillars underpin this strategy and will guide implementation and measures for success...
1. Shape Adversary Behavior 2. Promote Common Sense Regulation 3. Modernize and Secure Federal Government Networks 4. Secure Critical Infrastructure 5. Sustain Superiority in Critical and Emerging Technologies 6. Build Talent and Capacity
(Excerpt) Read more at whitehouse.gov ...
"We will prioritize the security and resilience of the National Security Systems that underpin our military, intelligence, and civilian enterprises."
"Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response."
I'm sure anyone bogged down with CISA, HIPAA and NIST will be scratching their heads over these statements!
Performative compliance aligned to "controls libraries" is a laborious tickbox exercise especially if your business is bogged down constantly by having to submit to external audits or repeat the status of compliance to multiple government agencies because they're not joined up enough to have a single central reporting mechanism; HOWEVER if there's no comparison mechanism at all, there's no way to know if a supplier of "critical infrastructure" is hitting the security standards that the Administration expects.
And it's actually the supply chain that's the question here. Sure, the whole public sector network security issue needs fixing, but GLOBALLY, nations are finding that there are some attack vectors hitting the government staff and networks and other attack vectors that are attacking the supply chain.
You can't over-regulate the government Cyber stuff and de-regulate the private sector, without creating massive cybersecurity risks - especially if you heavily rely on private sector innovation to operate the government sector services.
Simple example: We all want AI-enabling startups innovating to achieve cybersecurity ambitions across the government sector. At the same time, we certainly don't want those startups simply putting a shim over a Chinese AI model, or outsourcing the coding to a team in the Russian Caucasus.
Anyone else have any thoughts on this?
>6. Build Talent and Capacity
End H1B as currently used in the IT sphere.
I’ve been dealing with USDA Inspectors and they are beyond common sense. PITA and the animal rights people have filled the government inspection and animal protection roles at all levels of government.
They actually are writing violations and fining farmers who are not at their barn in the middle of the day to meet them during surprise inspections. They claim the farmer does not have regular hours.
I explained that the barn hours are 5 am to 7 am and 5 pm to 7 pm. These are every day, 7 days a week. You can’t get more regular than that.
In one instance, they were cited as one animal out of more than over 900 had a growth. I explained that it was treated, but treatment does not heal the sore immediately.
Freaking crazy liberal women with power that has gone to their head.
Oh, and the statute of limitations is 5 years, so they are now filing complaints for fabricated violations 5 years ago, even though the business was closed 3 years ag!. Their harassment was so great that most of the farmers raising small animals have stopped to get rid of the harassment. (raising guinea pigs for research)
checklists can be common sense or mindless rubrics. Those 15 character passwords with special characters? Mindless rubric. Proper server security disallows password guessing and disallows cracking of password hashes. With those proper server securit measures a 4 character password is equally strong.
Along with security the entire SW field is infected by dogma. It has infected the AI too, which produce solutions driven by dogma, basically: "this is how the experts do it so it's how everyone has to do it". But it turns out so-called experts in fields like cyber security including entire companies are mostly raking in the bucks with costly checklists.
bump
“what does “Common Sense Regulation” actually mean?”
DEI is a good example of common sense regulation.
The Federal government pays 90% of Medicaid. The states pay 10% and contract with Deloitte, Gainwell and other vendors to implement Medicaid.
The Feds/HHS require some reports from the states to show race and ethnicity at the level of Asian, etc. Other HHS reports require race and ethnicity at the more granular level of East Asian, SE Asian, South Asian, and other HHS reports require the granularity of Japanese, Korean, Chinese, etc.
In reality (in GA) for 1/3 of the population served, the race/ethnicity is “unknown”, “not available”, or similar.
So what is “Common Sense”?
1) Spend the money required to obtain an accurate race/ethnicity on 100% of the population served?
2) Roll the more granular up to the less granular designation?
3) Design the software to handle all possibilities?
Who’s still doing something as archaic as 15 character passwords with special characters? Outdated NIST 800-53 guidance, I guess.
For interactive logon accounts, there are five basic controls to think about within a “defense in depth” strategy:
1. Passwords need to be properly encrypted during creation, transmission and while in storage, in such a way that it’d be nigh-on impossible to crack a password store and get everybody’s logins without a malicious insider actively helping you.
2. Brute-force countermeasures need to be in place to stop bots breaking through an interactive logon process.
3. Non-expiring long passwords with NO COMPLEXITY OR UNIQUENESS REQUIREMENTS - that people are never gonna forget - are way better than rotating 8+ char passwords with special chars which are inherently hard to remember. Dumb policies result in people writing their passwords down or using guessable/predictable patterns (e.g. Jan2026?! —> Feb2026?! —> March2026?!).
If you’re really, really forgetful, you can use “What Three Words”. Pick the spot that corresponds to the corner of your back yard that your dog craps in. No beggar’s ever gonna guess THAT. And if you ever forget what it is... you can just open a private browser session and drag the map around your back garden until you hit the right reminder.
4. If it’s an enterprise system, use endpoint compliance and risk-based authentication so if your computer isn’t on the VPN and isn’t recognised by the corporate network you can’t get past the login screen even if you do have the right password.
5. If the dataset is really sensitive or the account has godlike access, then enable MFA.
For a very long time, password security’s been advisory rather than mandatory (enforceable), unless the requirement is buried inside an ironclad and adversarial contract.
Problem with adversarial contracts is, eventually the people who’re having to pay to comply in order to win the contract eventually figure out that the sheer cost of adhering to such a complex contract outweighs the benefit of winning the contract, meaning they “no-bid”.
But the problem with advisory setups is, as we’ve found in the UK, the very people/orgs that you need to treat these things as inviolable requirements given what they’re doing, tend to be the ones going “Hmmm, yeah, but they’re more like guidelines.”
For example assume the user's password will be discovered on a sticky note so apply real time auditing of access so when the attacker (or an actual user) has an abnormal access pattern you lock them out.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.