There's been a lot of talk in the past year about how the federal government will make protecting our nation's digital infrastructure "a national security priority" and appoint a national cyber-security coordinator to orchestrate and integrate "all cyber-security policies for the government." At the same time, there have been numerous reports, proposed legislation and cyber-events that combine to highlight the growing vulnerabilities of the global IT infrastructure and susceptibility of our nation's critical infrastructure to cyber-crime and cyber-terrorism.
A year ago, there was optimism because it appeared that the Obama administration recognized the need and had new enthusiasm for tackling the nation's cyber-security policy deficiencies. But as the government continued to chug along, there seemed to be a general reluctance to move forward boldly until the nation had an appointed national cyber-security leader. Now that President Barack Obama has appointed Howard Schmidt as the nation's first cyber-czar, much needs to be done to recapture the time that has passed.
In his 1994 book, Agendas, Alternatives, and Public Policies, John Kingdon coined the term, "policy window" to describe the process of how policy issues achieve enough momentum to get traction on the government agenda. Kingdon's model addresses how the timing of a policy window opportunity depends on what he calls the "three streams model," which includes the problem stream, the policy stream and the political stream. While all three streams are important, the magic happens when the streams come together, such as a change in the problem stream (growing national cyber-security concerns) and a change in the political stream (change in presidential administration) and an issue goes from just being an idea and turns into real policy. When I think about a policy window it reminds me of the perfect storm metaphor because it's all about timing. A little too early or a little too late and you've missed the window of opportunity.
So here's the question: While there have been numerous major cyber-security incidents in the past year (far too many to list here) and we've reached the first anniversary of the new presidential administration, is the policy window on cyber-security already closing? Has the nation lost momentum? In a 2009 column for CSO Magazine, author and consultant Richard Power wrote, "Cyber-security suffers from lack of a great transformative metaphor. We need to find a 21st century vision worthy of this 21st century challenge." We continue to see cyber-events on a daily basis, so what does it take to attract enough attention to achieve some real policy momentum and take advantage of what many think is the perfect policy window? I think the answer is national leadership, and I'm hopeful Mr. Schmidt can provide the vision.
In a 1998 article, political science professor Michael Howlett said, "Interest groups, think tanks, political parties and other nongovernmental actors must all operate and plan their activities in accordance with some notion of which issues are likely to emerge on government agendas and which are not." Many of us thought that the release of the Center for Strategic and International Studies report, Securing Cyberspace for the 44th President, in December 2008 met the requirements of this statement and would be the impetus for quick action.
In discussing the policy window for cyber-security action, Marcus Sachs, Verizon's executive director for national security and cyber-policy, said, "This means lots of opportunities for 'policy entrepreneurs,' those individuals who are able to take advantage of the brief window to advance initiatives and efforts that are in line with the general issue of cyber-security. It also means that those who are able to act fast stand to gain the most; those who wait might find their initiatives left behind as the window slams shut several months from now."
I'm certainly no public-policy sage, but I think the challenges of addressing our national cyber-security problem is an idea whose time has come and it seems to sync up nicely with Kingdon's thoughts on the policy window and how policymaking happens. It would be a shame if the nation missed this policy window to address our cyber-security problem, and we are counting on Mr. Schmidt to lead the charge.