title

Cybersecurity - what will the attention span be this time?

By: Scott Bradner

The idea that the White House would be interested in cyber security is not a new concept. At least since President Bush appointed Richard Clarke as U.S. coordinator for Security, Infrastructure Protection and Counterterrorism there has been at least some level of attention to this topic. But, to date, this attention seems to fade quite quickly after someone is appointed to a high-level cybersecurity czar like role. Most of the people who have taken on that role have quickly quit in frustration. (See Insecurity (or is that frustration) at the top http://www.sobco.com/nww/2004/bradner-2004-10-11.html and https://www.networkworld.com/news/2009/031109-resignation-exposes-opposition-to-nsa.html) We can all hope that the results will be different when President Obama completes the start up of White House's latest cybersecurity initiative by appointing a Cybersecurity Coordinator.

The President said lots of good things when he announced his cybersecurity plans. (http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/) He announced the release of the "60-day" cyberspace policy review

(http://www.whitehouse.gov/CyberReview/) and announced "a new comprehensive approach to security America's digital infrastructure." (http://www.networkworld.com/news/2009/052909-obama-announces-new-cybersecurity.html) He announced a 5-part approach.

o treat the US digital infrastructure as a "strategic national asset" and appoint a Cybersecurity Coordinator who will have "regular access" to the President,

o work with state & local governments as well as the private sector to ensure an "organized and unified response to future cyber incidents,"

o "collaborate with industry to find technical solutions that ensure our security" but "will not dictate security standards for private companies,"

o invest in research, and

o promote cybersecurity awareness and digital literacy.

He made a point of saying that the cybersecurity plans will not involve monitoring private sector networks and that he is committed to net neutrality to "keep the Internet as it should be -- open and free."

As I said, he said lots of good things but there will be a lot of opportunities to have this initiative wind up as the prior ones have -- window dressing that does not even successfully hide the quite real cybersecurity problems facing the country and the world.

The Administration's plans seem to mostly come from the 60-day cyberspace review led by Melissa Hathaway, currently the cybersecurity chief at the U.S. National Security Council. There is also a lot of good stuff in this report. But there are parts I do worry about.

The report includes a table listing a 10-point near-term action plan. Most of the plan is reflected in the President's announcement but a few parts did not make it. For example, the report calls for the designation of a "privacy and civil liberties official" but the President did not mention that point.

I do worry about the report's call for a "cybersecurity-based identity management vision and strategy." In spite of the reports good words about addressing privacy and civil liberties interests, I find it hard to see how any system of identity management will not wind up with someone being able to keep track of who is doing what on the Internet - a wonderful prospect to repressive governments and some law enforcement officials -- but not so wonderful to anyone with a legitimate need for anonymity. ( See http://www.sobco.com/nww/1995/bradner-1995-05-01.html and http://www.sobco.com/nww/2000/bradner-2000-03-06.html)

As a long-time participant of the IETF (http://www.ietf.org) I also worry about the report's push to bring together "like-minded nations" to worry about technical standards for the Internet. The Internet got to be the innovative powerhouse it did mostly because we did not have governments deciding what standards would be good and what would not. Few governments would have supported anything like the Internet of they had a chance. (see http://www.sobco.com/nww/1999/bradner-1999-12-13.html and http://www.sobco.com/nww/1996/bradner-1996-08-05.html)

Clearly something needs to be done about the current appalling state of what passes for security in the country's cyber infrastructure but I do have a big worry about the baby vs bathwater ratio of what this initiative has in mind.

disclaimer: Many people at Harvard work on ratios of some type of good vs some type of bad but I know of no university opinion on the balance in this report or initiative so the above exploration is mine.