This is a guest post that I solicited today after President Barack Obama’s major cybersecurity announcement. I felt it was important to get the views and opinions of someone in the field. Enjoy! ~editor
Today President Obama announced the creation of a White House cybersecurity coordinator position and discussed the 60-day Cyberspace Police Review conducted by Melissa Hathaway. He repeated his mantra regarding transparency and accountability, and touched on the many aspects of cybersecurity that impact America- economy, infrastructure, military, open and efficient government operations. He certainly displayed his tech-saavy and awareness of information security terms. Yet, what changes is he really talking about? What practical actions can we expect to see?
He calls our cyber infrastructure “œthe backbone that underpins a prosperous economy and a strong military”. Right away he acknowledges that the lag in consumer confidence in online transactions and electronic networks is a strong factor in our slumping economy. Recognizing the economy and the military importance in a single sentence like this emphasizes that the idea that online transitions and communications should be able to be trusted equally by consumer and intelligence community alike. The fact that this new position, which oversees the new cyber security policies, is part of the National Economic Council and the National Security staff is the practical embodiment of this idea. Recognizing that securing online transactions and communications are critical not only to security, but the economy, ensures that he will be able to use greater budgetary discretion when bolstering funding for cyber initiatives. While he focused on the importance of consumer confidence, I was surprised that the exact figure regarding the billions of dollars lost due to fraud every year was not emphasized here. His bottom line is that we are losing money due to fraud, but we are losing even more money because of the fear of fraud.
The president then declared that, “œFrom now on, the networks and computers we depend on every day will be treated as they should be — as a strategic national asset.” This is an acknowledgement that the infection of these privately owned devices can seriously compromise the security of an entire nation- and not necessarily our own. When the cyber attack on Georgia occurred in September of 2008, the speculation was that the success depended largely on the infection of US PCs. These acted as a botnet to attack Georgia. Russian hackers certainly knew that Georgia was not prepared to cut off traffic from the United States. The President seems to acknowledge that they can no longer ignore the threat that comes from the computers of average citizens. Part of this is addressed by his motion to create an education campaign to address business, educators, and the average American. I believe he wants to educate people to the risks they present to the nation when they ignore an infected computer or leave their internet connections open and unprotected. On a business level, I believe these comments spring from the Aurora experiment, which demonstrated the vulnerability of our power grid. He is placing a responsibility and forcing the industries to acknowledge that their reliance on cyber systems is both an asset and a risk. He is careful to emphasize that the solution is not to eliminate or control the asset, but to mitigate the risks.
The president promised the new position would “œ”¦work with”¦state and local governments and the private sector to ensure an organized and unified response to future cyber incidents.” His focus here is on being transparent, issuing warning and updates and most of all- creating a format that is not “œad hoc”. This is something that security breach specialists have been calling for- a uniform procedure and response. There is too much variation in the thresholds, requirements, and regulations regarding the reporting, disclosure and handling cyber incidents today. I expect that companies can expect to see an outline of thresholds and reporting guidelines for reporting incidents. I also expect that notification will be required far earlier into the discovery of a compromise, so companies will not be able to “œgather all the facts” before informing the public and appropriate agencies of the incident. I would expect that more details will be provided, and agencies will be encouraged to coordinate in efforts to address vulnerabilities rather than keeping them secret until a solution can be found. Promoting the sharing of information about vulnerabilities should be seen as a benefit to the entire sector and not as a liability for the individual company. HowÂ or if Obama plans to protect companies and agencies from the losses that may occur during the interval between sharing a vulnerability discovery and its “˜unified response’ will make or break this initiative. This is consistent with the recommendations in the Cyberspace Police Review.
Speaking on that note, the President stated, “œWe will strengthen the public-private partnerships that are critical to this endeavor”¦ let me be clear, my administration will not dictate security standards for private companies”. This will be the most difficult of his agenda items to live up to, and the one that he will be most criticized for. Many private companies fear information sharing, vulnerability sharing and full disclosure of data breach details. It will be a long and difficult road to convince the private sector that it is in their best interests to cooperate. The Cyberspace Police Review calls for a neutral third-party agency to take information and share it appropriately, but I doubt that will be enough to change the habits of the industry unless it is mandated. It will be difficult to maintain his other goals without some industry pressure or regulation. The market simply does not correct itself when it comes to matters of information security and commerce. I personally believe this speech was intended to hint that it is in the private sector’s best interests to cooperate with this collaboration if they want to remain as unregulated as they currently enjoy. I believe that the current amendments to privacy and security legislation are an attempt to ease changes into the industry by simply “œtweaking” aspects of current accepted regulations and rules.
Finally, his emphasis remained that they “œwill not”¦ will not include monitoring of private sector networks or internet traffic”¦ I remain firmly committed to net neutrality, so we can keep the internet as it should be- open and free”¦ A new world awaits, a world of increased security and greater potential prosperity”. This is an important distinction to make, and another subtle hint that the open and free market of the internet is critical to our economy and safety. He demonstrates his understanding that greater security does not mean the compromise of privacy or civil liberties, and therefore regulating the internet is not the answer. Recognizing net neutrality as a part of his cyber security efforts was a great way to try and smooth any ruffled feathers by the greater internet community. Since many of these initiatives address technology not widely used or available, it is more important for President Obama to emphasize what would not change as a result of this new position.
Ending his speech President Obama focused on the leadership we experienced in the 20th century and promised leadership in the 21st century. This has been another mantra of his- that we are able to lead, that we are leaders, even in this economy. Given the changes he is trying to make across government and industry, the belief that we are leaders in privacy and security is more important than the reality. I believe he stayed away from drawing comparisons internationally for this reason. Americans still have a bit of the cowboy spirit, and the best way to harness it is to convince the public that we are blazing a new trail of cyber security and policies. The spirit of innovation is obviously an important cultivation in this endeavor, and he makes no bones about his willingness to invest in education, training and programs necessary to nurture it. Practically, we should expect to see more government grants and funding in math, science and technology. Scholarships, research projects and grants are on the horizon as incidents to strength the public-private partnership. The question is- with what strings attached?