When it comes to cybersecurity and public policy, I’m as big a cynic as anyone. Why? From a historical perspective, cybersecurity issues were first recognized during the Bush administration (41, not 43). Over the subsequent 20+ years we’ve experienced misinformed rhetoric, overlapping agendas, and inaction but little meaningful progress.
Now I realize the President has some higher priority issues to deal with and that cybersecurity is neither sexy nor universally understood. That said however, there is no denying that things are getting progressively worse. Just this week, congressman Mike Rogers (R, Michigan), stated that he believed that 95% of private sector networks are vulnerable and most have already been attacked.
So what can President Obama do about cybersecurity without exposing the public to a geeky public debate or getting mired in yet another partisan dog fight? I have a few suggestions for POTUS:
1. Appoint two new cybersecurity “czars.” In May 2009, President Obama declared that he would create a cybersecurity coordinator position who would become a member of the National Security Council and the National Economic Council. By the time Howard Schmidt assumed this role several months later, the position had become more ceremonial than operational. In my humble opinion, federal cybersecurity leadership should be a 2-person job. One individual should be internally focused on federal matters like working with congress, NSA, DoD, and Federal IT. This person’s objective should be legislation, program oversight, and budget dollar allocation. The other cybersecurity “czar” should be externally focused with responsibility for public awareness campaigns, public/private partnership, cybersecurity training and technology industry relationships. This latter position calls for a strong media-savvy persona along the lines of former Federal CIO Vivek Kundra. The goal? Rally and educate the country at large.
2. Establish a Federal cybersecurity chain of command. With the threat of budget cuts looming, DoD, Homeland Security, National labs, and other Federally-funded organizations are tripping over each other for cybersecurity ownership and budget dollars. This has led to numerous redundant programs on the one hand and big gaps in expertise and coverage on the other. As suggested above, someone needs to assess the whole enchilada, weed out redundancy, identify needs, and put together a coherent strategy. In this era of Federal dept and budget debate, it would be criminal if the President didn’t address this.
3. Bolster Federal programs for cybersecurity awareness and training. Everyone uses a computer, smart phone, or tablet these days but few folks really understand cybersecurity issues. I’m not suggesting that we need a nation of CISSPs but I do think we need a public service campaign – a la Smokey the Bear – to educate citizens on how to better protect themselves on-line. Additionally, we do need a heck of a lot more CISSPs and experienced cybersecurity pros as these folks are in high demand but short supply. We need more scholarship programs from NSF, NSA, DoD, and the private sector.
4. Drive International cybersecurity cooperation. We keep hearing about attacks emanating from China, Iran, and Ukraine but we hear almost nothing about an International cybersecurity agreement. Alarmingly, Washington has upped its rhetoric on “offensive” cyber operations just when the President is feeling heat about his use of un-manned Drones. Ironically, the Russians have been one of the most aggressive nations to propose cooperation, albeit with a self-serving agenda. Nevertheless, we need to build on Russia’s proactive effort and establish a cybersecurity Geneva Convention before some 3rd world nation attacks the infrastructure of a world leader in lieu of a kinetic war.
With the right focus and support, the President can demonstrate real cybersecurity leadership without boring the country with nerdy details about APTs, DDOS, and SQL injections. The President has a somewhat Faustian compromise to consider: Either establish a pragmatic cybersecurity strategy for the U.S. or wait until some cyber attack leads Washington to a wave of finger pointing, reactive policies, and horrible legislation. I hope he chooses leadership rather than push cybersecurity under the rug and risk a visible cyber attack and subsequent legislative chaos.