Monday, May 23, 2011

The Latest Obama Cybersecurity Plan Looks Awfully Familiar...

In case you missed it, the Obama Administration just unveiled its new cybersecurity plan for the nation. Many in the technology industry are showering it with praise, but is that praise warranted?


It's not necessarily that the Obama plan is bad or misguided, it's just that it's not a significant departure from previous incarnations of U.S. national cybersecurity policy.

What supporters are rallying around is the plan's call for a new cybersecurity coordinator who will answer directly to the president, the designation of cybersecurity as a "key management initiative", the development of better metrics for improvement, and investments in education and R & D.

All of which sounds great; and all of which has been done before. Ever since the Bush Administration's National Strategy to Secure Cyberspace policy document in 2003, there have been several new cybersecurity coordinator positions created within the Executive Branch, metrics have been implemented, and there have been repeated calls for more education and R & D.

Above all, both the Bush and Obama plans focus on voluntary public-private partnerships as their core ideological tenet.

The "Action Plan":

  1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.

  2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.

  3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.

  4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

  5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.

  6. Initiate a national public awareness and education campaign to promote cybersecurity.

  7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.

  8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement

  9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.

  10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

Sure, there are a few subtle changes in this new Obama plan. The fact that the new cybersecurity coordinator position will be part of both the National Security Agency (NSA) and National Economic Council (NEC) is symbolically significant. But overall, these changes are mostly bureaucratic in nature. The main philosophical driving force behind the policy looks awfully familiar.

There is a reason for that. The vast majority of the Internet is comprised of privately owned and operated computer networks. This means that the vast majority of cybersecurity defense must take place in the private sector, and that the federal government is extremely limited in its capacity to affect meaningful change.

What the federal government should be held directly responsible for is 1) protecting the Internet's physical infrastructure (the actual wires and cables connecting networks and devices) within U.S. territorial borders and 2) safeguarding the digital information within its purview (like military intelligence and Social Security data) from outside intrusion.

Those two things ought to be the federal government's primary cybersecurity focus because those are the two things which it actually has some control over. Everything else in this discussion - like encouraging voluntary public-private partnerships, education, R & D, public awareness campaigns, initiating a national "dialogue", etc. - sounds nice and warm and fuzzy, and is definitely needed, but will inevitably produce rather limited results.


Post a Comment

<< Home