With the worst recession in living memory, a flu pandemic that some believe could eclipse the 1918 outbreak that killed over 675,000 Americans, and wars in Iraq and Afghanistan, you have to give President Obama credit for even finding the time to tackle the challenge of cyber security. Indeed, some might say that he is trying to do too much and that securing the nation’s IT infrastructure is not a top priority. We would disagree.
As the president observed, the digital world now touches every aspect of our lives; our real identity is increasingly mirrored by a virtual identity, from our social interactions, our finances, and even to sensitive information about our health and personal life. The nation at large increasingly relies on a networked IT infrastructure to conduct business with citizens, manage government, and operate our national defenses.
This entire infrastructure is insecure. It has been breached countless times: just last week the National Archives and Records Administration lost an external hard drive that contained copies of sensitive data from the Clinton administration. It’s a safe bet that it will be breached again. National security will be compromised, and our personal identities will be threatened.
President Obama is appointing a “Cyber Czar” to champion security across the nation. He or she will jointly report to the National Security Council and the National Economic Council. Why not Homeland Security? As others have observed, there was a lot of infighting over the scope of the Czar’s role and the powers appointed to the role. The result was a compromise, and we believe this in turn will compromise the outcome.
Here’s what we think any new Czar must do:
- Help evangelize the importance of protecting against internal AND external threats. Insiders with too much access can do as much damage to our IT infrastructure as external hackers, if not more.
- Use the government’s voice – and its purchasing power – to advance important security standardization efforts. Efforts to simplify, strengthen, and standardize web authentication such as OpenID, Liberty Alliance, and WS-Federation could use a strong government champion.
- Advocate the aggressive prosecution of identity theft, online scamming, and other types of cybercrime. We need more laws, more cops, and more effective punishment of criminals to keep the digital world from becoming an on-line wild west.
In any event, a sound security program is not about sophisticated technology. It’s about appointing technology leaders that are capable of identifying basic security policies. A strong security program is only as good as a leader’s ability to ensure security policies are being enforced. This requires a holistic approach that should include all areas of the government’s IT infrastructure.