National Cyber Security: Round Three
By Michael Tanji | May 29, 2009
With a televised speech on the subject of cyber and infrastructure security (one of the better ones I have ever heard), so begins the Obama administration's foray into the defense and security of cyberspace. Every administration for the past 15 years has done it to one extent or another, yet as pointed out repeatedly we're not all that better off today than we've been since computers became a part of our lives. As a matter of fact, it was recently pointed out that the plan going forward looks a lot like the plan that was offered up six years ago. How much has changed since then? Not much.
Tens of billions of dollars are about to be spent on national cyber security problems. If there is any hope of real change, we need to stop with the platitudes, banal buzz-word boilerplate and take some serious action:
Fire the most egregious violators of security policy. There is no government agency that doesn't make you acknowledge their policy on cyber security. There are also penalties for violating that policy; they are rarely enforced and when they are it is very hush-hush. That has to stop. If you make a mistake, OK, but if you're storing gigs of illicit images or are running your eBay empire off a government PC and Internet connection, you not only need to be publicly dismissed, you should also be aggressively prosecuted. People usually don't break rules when prison is involved.
Hold security and management accountable. It's so much easier to sweep violations under the rug when they're cyber-based, but no agency managers would let the same sort of behavior, if carried out in meat-space, go unpunished. If you treat security like a checklist, you're not a security manager, you're a clerk. If checklist security is all you fund your security shop for, you are not a serious executive, you're an ignorant bureaucrat.
The flip side of the coin: don't view security as a 'deny-all' prospect. Understand - really understand - the risks and plan and operate accordingly. That means changing the way you work to avoid or reduce your exposure to risk. Systems process information and information - no matter how valuable at this moment - has a half-life. If you are designing systems and operating them in a fashion that maximizes your technological capabilities, security really only has to be good enough.
If you're in a leadership position - and pardon my age-ism - accept that you're not going to "get it" and appoint people you trust who do get it to make things happen. Don't be the old geezer shaking his fist at 'those darn kids and their inter-webs!' You are in charge of your agency; you are not your agency. If you're not advancing your agency with the times because you are not comfortable, you are failing those you have sworn to serve.
Hand in hand with that last point: don't run from fear; embrace and exploit it. For all our might in the physical world, the US is regularly used and abused in cyberspace. Like Neo in The Matrix, we have to recognize that in cyberspace our physical prowess counts for naught. Some argue that a nuke is a legitimate response to a sufficiently harsh cyber attack; I say if you're fighting bytes with nukes you've punted dominance of the cyber domain to the malcontents.
The Cyberspace Policy Review says we're "at a crossroads;" past efforts have talked about our hearing "a wake-up call." The fact of the matter is that we're too far down the road - hitting the snooze button all the way - to keep up the pace of talk, half-measures, and failed responses. Serious cyber and infrastructure security comes at a price that is deeper and more expensive (on multiple levels) than what is being budgeted for. Unless we as a nation are prepared to pay that price, we should stop pretending we care about these problems.