President Obama released his new Cyberspace Policy Review this Friday, May 29th, which outlined his plan to improve America’s Internet and computer security. The review is the result of a 60-day, “clean-slate” evaluation headed by an interagency group. The key components of the review include:

• Leadership: The President will appoint a new cyber security policy official, or “coordinator.”  This official will work across the federal government coordinating efforts in policy and technology, build agendas and help ensure the necessary budget is met to accomplish the President’s goals.
  Review: “Leadership should be elevated and strongly anchored in the White House to provide direction, coordinate action and achieve results.”
  Comment:
  -Cyber security requires a leader. President Obama’s creation of a cyber security coordinator is a step in the right direction, but the job description lacks specifics such as: How much authority and power will they have? Who will be appointed and what will be the pre-requisites for appointment?
  -The cyber coordinator must have the support of Congress to ensure a large enough budget to accomplish significant goals— in both parties and in both houses.
  -To be effective, the coordinator must be publicly appealing and be able to use the bully pulpit effectively.  Support from the public is vital, as they use the Internet most frequently and on the largest scale; cooperation from them is therefore key to increase security.
  -The president must find a candidate who has widespread support, while having extensive background knowledge and experience in cyber and national security—no small task.
• Transparency: Officers or boards within the private, public and government sectors will be implemented to increase communication between the sectors and therefore increase trust. This enhanced level of trust will ensure greater success in efforts to strengthen security, while ensuring that privacy and civil liberties are upheld.
  Review: “The Federal government should continue the principle of “mission bridging”…sharing of expertise, knowledge and perspectives…between network defenders and the intelligence, military and law enforcement organizations.”
  Comment:
  -We all know that sharing is important, but when it comes to sharing important information, where is the limit?  For example, will this sharing bring technology providers into a pre-procurement process to identify operation requirements? Will there be requirements for sharing certain information among sectors? And if a player in the process refuses to disclose certain information, is there a penalty for keeping it confidential?
  -To what extent does real sharing implicate antitrust concerns? And if it does, how will this be addressed?
  -Additionally, sharing by the government is complicated by the classification and protection of much of the most important security information. Obtaining security clearances takes time and money and can require private individuals to disclose very private information. How will the government facilitate the sharing of information in classified areas?
• Education: The Federal government will implement a cyber security education program that will span from kindergarten to the university level. Public awareness will be spread through the use of public service campaigns promoting responsible use of the Internet.  These campaigns will facilitate understanding of Internet security on all public, industry and government levels.
  Review: “The Federal government should expand support for key education programs and research and development to ensure the nation’s continued ability to compete in the information age economy.”
  Comment:
  -Preventative education is one of the best ways to address a problem. The key will be in how this goal is implemented. How will the Federal government fund cyber security education? What sort of courses or teaching methods will be taught to ensure an impact is being made?
  -This type of education is difficult to determine a success rate, so money could be wasted on programs that produce delayed, weak impacts on the public.
  -Policymakers love to talk about education, but when the budget cardinals get their hands on these programs, they are almost always under-funded. Will these cyber education programs have the resources necessary to make an impact?
• Synergy: Increased collaboration between the government and public will guarantee a more cyber-secure America. The review calls for more information sharing through forums and partnerships between agencies, the industry and the public, in order to recognize common goals and plans.
  Review: “The government should work creatively and collaboratively with the private sector to identify tailored solutions that take into account both the need to exchange information and protect public and private interests…”
  Comment:
  -The Institute supports collaboration where mutual agreements are being made that benefit each side.
  -But there must be assurance that all parties are given equal opportunity for partnerships and information sharing. Are there incentives for particular partnerships compared to others? Will certain companies, agencies or organizations be favored over others for their importance or possession of high-level information?
  -And while partnerships are very feel good, we need to prioritize efforts so that we focus on things that can make a real impact.
• Standards: Through “incentive-based legislation”—for example, monetary consequences for service providers— government can encourage industry leaders to demand more security. The president stressed that the “Administration will not dictate security standards for private companies.” However, the review calls for new rules, oversight and laws that require notification of incidents and sharing of information with the government by the private sector. The review also advocates for partnerships in the global IT community to formulate an international standard of cyber security.
  Review: “Another way to increase reporting is through consideration of appropriate data breach notification laws that require notification to the public and to the government, including law enforcement entities that could pursue investigations.”
  Comment:
  -The Institute strongly supports the use of incentives such as monetary  “consequences” to drive the market for better cyber security.  Without such incentives the status quote will remain unchanged.
  -However, no one should believe that putting such measures into place—presumably this will require new statutory authority—will be easy. To get this done, the coordinator—and more importantly President Obama himself—will need to spend political capital and twist some arms. That said, we believe it is well worth the effort.
  -As the Administration develops these mechanisms, a range of issues will need to be addressed, including: What would be the framework for these incentives? What kind of penalties are involved? Do companies who have more to lose decide the incentives aren’t worth it?  Are the incentives strong enough to change market-driven behaviors?
  -The new rules, oversight and laws outlined in the review provide negative incentives to the private sector. They need to be carefully crafted to not unduly inhibit cooperation needed for security improvement.
  -Sustaining partnerships in the global IT community and finding an “international standard” of security may be problematic because of immense socio-economic, legal and cultural differences.  Countries have different views on relationships between government and the people, as well as the amount of information and news the public is allowed to view.  Any international law or standard is not only difficult to agree upon, but difficult to enforce. That said, such a standard could be a “game changer” if successful.
• Innovation: For successful innovations, governmental, industry and public sectors must collaborate on ideas to enhance security technologies and ensure they work to their full potential for each sector. The federal government will help implement new privacy technologies such as identity management systems that build trust between all parties involved in online transactions to assure confidential information is kept safe.
  Review: “The Federal government will work with the industry to develop next-generation secure computers and networking for national security applications and tough new standards for cybersecurity and physical resilience.”
  Comment:
  -Innovation takes lots of time, money and investment.  How much is the government willing to spend/invest on developing and implementing these new technologies? How do small businesses and individuals who may be unable to pay for their own security ensure their information is safe as well? How far are we willing to go for new innovations?
  -Innovation and privacy also requires a delicate balance; we must be sure individuals’ information is safe, while not making it impossible to check their bank statement online.

This entry was posted on Monday, June 8th, 2009 at 4:57 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.