Who Needs a Cyber Czar?
We need a broker, not a boss
By Michael Tanji | July 20, 2009
Apparently the job is open, but no one is applying (or at least those that have aren't being considered despite the leadership black hole, which says something positive about those making the hiring decisions). Some folks are concerned, but I'm not because I think we can get along without a cyber czar just fine.
For starters, no matter their qualifications, the czar is going to spend a lot of time wasting time. There is an office to staff and meetings to hold and back-office nonsense to deal with before any work can get done. Then you've got to have at least one study commissioned, a bunch of "fact-finding" meetings, meetings with other government officials, meetings with industry officials, meetings overseas, speaking engagements, etc., etc. All this to construct a wheel-reinvention shop that is unlikely to have any significant impact on the state of cyber security in this nation.
It'll have no impact because it'll have no real authority over the core elements of cyber space that need securing. Until it is nationalized, Verizon isn't going to give a darn what the cyber czar says, its going to do what it can to ensure traffic flows. Bank of America isn't going to become a font of intrusion-related data because the cyber czar asks nicely, its going to keep systems secure enough to facilitate commerce. Members of the defense industrial base that get pwned aren't going to start opening their logs to the government, they're going to keep their mouths shut because they like working for the government. Despite grandiose claims to the contrary, the government has very little direct impact on how safe national resources are online.
Let say, for the sake of argument, that the czar did have a lot more pull with industry than he actually would; how does he put that juice to good use? Given that the czar and the individual with the power to make things happen in cyber space are not the same person: he doesn't.
We don't need a czar, we need someone with a lot of betweenness and closeness (in social networking terms) to make sure that people who need to are talking, sharing, and collaborating as they best see fit. We need progress - period - and that doesn't come from edicts passed down from echelons-above, it comes when people who trust each other open up their kimonos (figuratively speaking). We need a facilitator (who can do all this work alone and with just the tools that'll fit on his laptop) and not a figurehead because that's the closest were going to get to working like our adversaries. Cyber crime/attack networks can be world-class in skill and international in scope, ad hoc in configuration and short in duration. The botnet that denies service to your governmental web sites might have been assembled by a Brazilian, who borrowed code from an Israeli, who launders his money through a Russian; none of them have met in person, and next month they may all switch roles - and throw in some Americans and Chinese to boot - for a totally different attack. And we wonder why our industrial-age approach continually falls short.
Forget trying to shoe-horn technology stars into gov't jobs (a worthy if doomed-from-the-start experiment) or creating more useless bureaucracy with another czar. Progress on the national cyber security front is going to come from that age-old mechanism for getting things done in bureaucracies: IKAGWKAG ("I know a guy who knows a guy"). The guy (or gal) who knows the most guys is the guy (or gal) you want in this job. Poll some of the usual suspects (or just hire this guy) and then sit back and watch what happens when you stop fighting real problems with a Visio diagram.