As we anticipate the appointment a cyber security czar, it feels a bit like déjà vu. After all, we continually seek out saviors to solve intractable problems that no one can really solve on his/her own and then we are surprised when nothing happens. When the Department of Homeland Security created the National Cyber Security Center and implied that its head would be the cyber security czar, people were right to complain that a position buried in the DHS bureaucracy had little chance of succeeding. Not surprisingly, some of the best and brightest who have been appointed to that position have not stayed long. Part of this may be a matter of unrealistic expectations. After all, calling someone a czar, even informally, sort of implies that the position actually has some real power. In government real power is usually defined by two things: having the authority to spend money and to impose rules that people have to follow (i.e., they'll be fined or go to jail if they don't do it). Neither the current cyber security czar nor the one proposed seems to have either of these characteristics. And that may not be all that bad.
The Center for Strategic and International Studies' Securing Cyberspace for the 44th Presidency Report covers familiar territory in effectively describing what the President and his czar would do. Most of these ideas have been tried and failed, largely for two reasons, lack of money and lack of enforcement authority. The government will never have enough money to fix cyber security nor should it be spending money fixing what is largely a private sector problem. Instead, the czar should really be more like a cheerleader, using his/her influence, expertise, and facilitation skills to accomplish the goals laid out. The private sector wants secure systems, but it doesn't want prescriptive mandates that are narrowly tailored to address the most recent incident. Developing consensus from the position of an honest broker who is more interested in security cyberspace that building an empire or favoring a particular vendor is the preferred approach. I believe several of the individuals proposed for the position have that ability so long as they are unencumbered by a bureaucracy trying to score political points or win more appropriations. That would be one argument for moving the position to the White House. However, White House "czars" don't have a very good track record either. Being disconnected from the day-to-day operations of government, and where, like it or not, a growing cyber security capability is forming, is not such a good idea either. Ultimately the position requires a true leader who has the respect of the cyber security community, the private sector, and government. As Bismarck once said, "Those who enjoy good sausage and good laws should not see how either one is made." Real progress is possible, but it's going to be messy.
No comments:
Post a Comment