Back | eWEEK.com | Search
What Kind of Cyber-security Czar Do We Want?
By: Larry Seltzer
2009-03-10
There are 7 user comments on this Network Security & Hardware story.
Receive eWeek news alerts on your mobile device.
Get the latest breaking news with mobile-formatted article links.
Click here to subscribe
E-mail
Print
PDF Version
What kind of national cyber-security officer could really make a difference? Do we really want to have an Internet under that kind of thumb?
During his campaign, President Obama promisedthat he would "make cyber-security the top priority that it should bein the 21st century. I'll declare our cyber-infrastructure a strategicasset, and appoint a national cyber-adviser, who will report directlyto me."
About a month ago Obama appointed Melissa Hathaway, who served asthe cyber-security coordinator executive under Mike McConnell, formerPresident Bush's Director of National Intelligence, to be a seniordirector at the National Security Council. She is currently performing a 60-day review of security of federal systems.She is also a leading candidate to be the "national cyber-adviser" towhich Obama referred in the campaign, assuming he goes through withsuch an appointment. Currently she is several steps away from reportingdirectly to the president.
Many years after creating a Director of National Intelligence(the new one is Dennis C. Blair), specifically in order to coordinateall the various sources of intelligence and make sense of them, itseems we're not very good at that, according to a report examined by the Wall Street Journal."Cultural, organizational and technical obstacles have slowed effortsto move information across agency boundaries," according to thearticle. Expect cyber-security to be a similar problem, and rememberthat it is one of those components that needs to be coordinated by theDNI.
I actually assume that the DNI really did try to do a better job,and it seems the report says they did accomplish some things, just thatthey have a long way to go. But it's a really hard job, andcoordinating cyber-security for the nation is really hard, too. Itcould be that it's a job doomed to failure; could we actually makethings worse?
Absolutely we could. It's worth asking at the outset what we'retalking about defending; is it just federal government systems, inwhich case the czar is really just the federal CSO? This is not onlyunobjectionable, it's a pretty good idea. I'm sure most large federalagencies have a CSO or someone with such responsibilities (correct mebelow if I'm wrong) but it's fair to have a coordinator directing acommon security policy above them, one who can also help them to gettheir jobs done by providing political weight. This position reallyneeds to report directly to the president? That I don't understand.
Already we've seen that political decisions are central to how this effort will be made. Just the other day themost recent person in charge of federal cyber-security, Rod Beckstrom,head of the U.S. National Cyber Security Center, resigned,complaining that all the authority was being taken from the Departmentof Homeland Security and put in the National Security Agency. That andthe fact that his group was only sparsely funded. Even if this is justa job about federal systems, should it be run out of the NSA?
And if we're talking about someone who's in charge of security forthe whole of U.S. Internet infrastructure, the idea is pretentious anddangerous. Today an appointed czar would have no real authority overbadly administered Web servers, ISPs that have insufficient controls,networks with no DNSSec or IPv6 support. And there is no U.S. border todefend on the Internet; many significant U.S. Internet assets are tiedclosely with assets owned by the same organizations abroad.
If the government is supposed to have real authority in this regardit would take new and highly intrusive legislation to do so, and noneof us would take it sitting down. If they won't have the authority,then nothing has really changed, which is maybe the best way to goabout things.
What would you do if you really wanted to shape up the nation'snetworks? You'd need someone in charge with real authority, like a realCTO or network admin at a real enterprise. Imagine it: someone with theauthority to quarantine infected systems; the authority to disconnectnetworks that are poorly, perhaps even maliciously, managed; theauthority to ban old and insecure products and, conversely theauthority to mandate new and secure ones, like DNSSec and IPv6; theauthority to tell people "no, you can't do that with your own computer."
There is no way we would ever put up with authority like that on theInternet. There's no way service providers would put up with it either.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
© 2009 Ziff Davis Enterprise, Inc.
Mobilized by mDog.com
