Obama’s Cybersecurity Initivate a Step in the Right Direction

By  |  Friday, May 29, 2009 at 5:39 pm

Today, U.S. President Barack Obama took the wraps off of a 60-day review of the nation’s electronic infrastructure. The report outlined concrete steps towards achieving better security, called for the creation of a cyber security czar in the White House staff, and emphasized the importance of respecting people’s privacy.

In April, I wrote “Obama gets it,” in an article about how critical U.S.infrastructure was vulnerable to damage and disruption. While some of the details haven’t been shared yet, the initiative that the President announced today does chart the right course.

The report concludes that the federal government needs to its increase investment in achieving security and resiliency in information and communications infrastructures, and calls for a public-private partnership to coordinate responses to cyber attacks in addition to rallying  international cooperation to mitigate security risks.

Another goal is to educate the public about the importance of cyber security, but with incidents such as the U.S Army being hacked in news headlines, reality has already helped there.

Obama’s plan mirrors a bipartisan effort that was championed by U.S. Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine). The bill that they proposed also called for a White House position to coordinate all Federal security efforts.

Rex Black, a well known security expert and president of Rex Black Consulting Services, told me that it was understandable that Obama would want someone to fill that role. The position should be staffed by the White House rather than the Commerce Department or Military due to the turf wars that would inevitably happen, he added.

The report strikes a political balance: New laws and mandates could come as a consequence, but the White House said that it would avoid imposing new requirements on the private sector if it could be avoided. Privacy was also mentioned more than 60 times in the report, and the President said unequivocally, “Our pursuit of cyber security will not–I repeat, will not include–monitoring private sector networks or Internet traffic.”

Overall, I am heartened by the high priority that Obama has placed this very serious problem so early on during his Presidency. He is giving credibility to the people that are trying to solve it, and that will only help drive towards a solution–even if we have to walk before we can run.

 
4 Comments


Read more: , ,

4 Comments For This Post

  1. JDoors Says:

    Certainly this issue is of vital importance to both national security and unfettered commerce, but:

    @Rex Black: “The position should be staffed by the White House rather than the Commerce Department or Military due to the turf wars that would inevitably happen …”

    Whatever the excuses given, my gut feeling is that it’s yet another White House power-grab. Why don’t we avoid the issue of “turf wars” entirely by giving the White House power over EVERYTHING? We seem headed in that direction as nearly everything seems to require a White House Cabinet level position nowadays.

    @White House report: “The White House said that it would avoid imposing new requirements on the private sector if it could be avoided.”

    Translation: “It can’t be avoided, you know it, and we know it.”

    @Obama: “Our pursuit of cyber security will not–I repeat, will not include–monitoring private sector networks or Internet traffic.”

    Translation (for the sake of brevity just the first five words, “Our pursuit of cyber security”); “We WILL engage in spying, you know it, and we know it, we’ll just call it something other than ‘cyber security,’ like, I dunno, ‘statistical analysis’ or something.”

  2. David Worthington Says:

    @jdoors

    Here is Rex’s full quote.. I just paraphrased, because I used it word for word in an SD Times story.

    “I don’t know about the security czar idea, but I can see why he went that way. These cross-agency czars tend not to get much done. However, if Obama had put this in the Department of Commerce, the intelligence people would go nuts, if he’d put it in the military, the branches would argue about which branch should get it, etc., etc,”

    Further, I’ve read that the NSA did not seek the position (even though it has the top experts), and that there were concerns about giving it too much power domestically.

    It’s just speculation on my part, but maybe that is why the Senators asked for the position to be created in the White House.

    As for new regulation… I’m not certain about whether it will happen. Cybersecurty was never before made a national priority. We’ll just have to see what happens – this is new territory.

    There are many players in the industry that are pleased about Obama’s desire for public/private partnerships. Green Hills and Microsoft being just two examples.

    The UK has had a push toward regulating how software is made by establishing a liability framework. Here’s a summary.

    “Efforts to promote best practices have been hampered by a lack of commercial incentives to make products secure. The committee’s solution is to propose transferring the cost of insecurity onto demonstrably negligent hardware and software manufacturers, with the long-term goal of establishing a framework for vendor liability across Europe.”

    Read more about it here. http://www.sdtimes.com/link/31110

  3. JDoors Says:

    Thanks DW, the full quote doesn’t really change how I feel though. “Those cross-agency czars tend not to get much done.” As opposed to White House cabinet-level czars who amaze us all with their unflagging efficacy? I dunno about that! 😀

    As for the other problems with placing responsiblity for cyber security where it belongs, is everyone saying the system is broke, so why not just give it to the White House to muck around with? Is there evidence that works any better?

    Interesting that you give the benefit of the doubt to the possibility (ie., inevitability) of “new regulations” while concluding your reply by quoting proposed new regulations in the UK that are potentially onerous and would likely prove to be crippling to the economy. Imagine the government, and lawyers, licking their chops at the thought of suing Microsoft for being “negligent” regarding security — Hey, that’s how we’ll fund the program! 😉

  4. David Worthington Says:

    I’d say that Microsoft has done more than most companies with its SDL (Security Development Lifecycle). It’s being emulated around the industry, and most companies aren’t sharing their development processes. Microsoft just created a VSTS template for enterprises to follow the SDL for their own apps. They wouldn’t be negligent IMHO.