Rearranging Deck Chairs?

One often gets the feeling when working in the information security field that a lot of efforts to improve security are like rearranging deck chairs on the Titanic.  Small tweaks here and there don't make a lot of difference on a sinking ship.  While the state of information security isn't that bad, the legislation created to address it often is.  Having worked on Capitol Hill for a while, I certainly sympathize with the urge to legislate solutions.  After all, that's what legislators do.  If they had the power to hunt down and capture hackers, they'd probably do that instead, but that's not their job.  In a recent post I talked about the Center for Strategic and International Studies' Securing Cyberspace for the 44th Presidency Report.  In a recent column, the sponsors of the study, Representatives Jim Langevin (D-RI) and Michael McCaul (R-TX) focused on some actions to be taken by the federal government.  While laudable in their goals, they seem to be reminiscent of prior efforts to find all things bad.  While not declaring a war on hackers, it has the feel similar to the war on drugs, the war on terrorism, and the war on poverty.  What we've learned from all these adventures is that the devil is in the details.  Until you force someone through threat of fine or imprisonment or actually appropriate scarce resources, no one really pays attention.  So with that in mind, let's walk through some of the suggestions.

We would begin by announcing a national cyber doctrine, declaring the cyber infrastructure of the United States to be a national security and economic asset that requires protection using all instruments of national power —diplomatic, economic, military, law enforcement and intelligence.

This has the sound of Mom and apple pie.  However, until you start saying that it's more important than another program, you're not really saying much.  Everything is important so nothing is important.

The Federal government must be reorganized to effectively implement our national doctrine Today, many people and agencies are responsible for securing pieces of cyberspace, but nobody is in charge of the overall vision. We recommend creating a National Office for Cyberspace within the White House to provide oversight, clarify agency responsibilities, ensure accountability and increase transparency and collaboration for the many cybersecurity programs across multiple agencies.

Where have we heard this before?  It seems like every solution has to start with some sort of reorganization.  It's a way of appearing to do something without really doing anything.  We created the Office of the Director National Intelligence so that someone would be in charge of the intelligence community.  So far success has been limited because most of the budgets and operational capabilities exist in the individual agencies.  For years the Office of Management and Budget has sought to limit cost overruns in IT budgets and make agencies more secure.  These efforts have failed in part because the office had limited enforcement power and limited technical expertise.  The proposed Office of Cyberspace would create another island of influence that would presumably have very limited staff and budget to make the changes needed.  Ultimately what's needed is real leadership who is empowered to marshal resources to push forward real innovation while understanding the challenges faced by government agencies and private sector organizations.  Keeping that role within the Department Homeland Security but giving the person more autonomy and budget may be the better option.  DHS is already starting to assemble a variety of cyber security programs for government and private industry that are getting some traction.  Placing strong leaders atop these efforts would seem to do the most good.

In order to secure and protect privately owned critical infrastructure from cyber attack, we must reinvent the partnership between government and private industry. We believe a new collaborative regulatory model that espouses sensible regulations, combined with incentives, will result in stronger cybersecurity throughout the private sector.

The statement implies that there's one regulatory model in place.  The reality is that the model varies by industry.  In some cases that may make sense, but in most cases, it doesn't.  However, the real issue is enforcement.  Banking has made greater strides in information security due, in part, to tighter regulations of information security practices (I realized the irony of suggesting that banking has tight regulations given the recent financial crisis, but the regulations and their enforcement are more significant compared to other industries).  On the other hand, the enforcement of HIPAA in the healthcare industry is practically non-existent.  Therefore, those organizations don't put a lot of emphasis on information security.  That may be the right thing given cost factors and the greater importance of patient care.  Nonetheless, it demonstrates the challenge of accomplishing such goals through regulation if the enforcement structure is virtually non-existent.

Finally, federal support for focused research and development is a critical component of any successful strategy. We must invest in longer term research and development designed to create a more secure ecosystem.

No argument there, but the devil is in the details.  Any research needs to be focused on goals that are measurable and achievable and not simply done to show that something is being done.

Notwithstanding my criticisms, I applaud the efforts to make a difference with this very difficult problem.  We just need to resist the temptation to keep reinventing the wheel.