The recent announcement that Melissa Hathaway, a top cyber-security adviser for the director of National Intelligence, will direct a 60-day review of federal cyber-security is surprising in its audacity. Anyone who even remotely comprehends this Herculean task would, quite understandably, wince at the challenge.
The cyber-security problem however, goes far beyond the federal government. State and local governments struggle mightily to maintain adequate security technologies and staff proficiency. It's time for leadership at all levels of government to understand how dependent the nation and our citizens are on cyber-security. Professor Gene Spafford of Purdue University states it succinctly: "Information security has transformed from simply preventing bad things from happening into a fundamental business component."
Another encouraging sign that the Obama administration is serious about cyber-security is that its agenda contains specific goals, including:
While my optimism is fueled by the belief that bold leadership is truly powerful, it's also dampened by the reality that the cultural inertia within government actively resists change. I've been pondering how visionary leadership could benefit the nation and those of us toiling in public-sector cyber-security, and have identified a few targets that a national cyber-adviser might address.
Broaden and increase effectiveness of federal cyber-security grants. Despite the obvious knowledge that a cyber-attack could profoundly impact many government systems or critical infrastructures, the paucity of federal funding to protect them is appalling. Federal funding is critical to adequately address this national issue.
Identify and unreservedly exploit the diversity of public- and private-sector organizational knowledge regarding the nation's critical infrastructures. A paradox of the nation's critical infrastructure is how dependent public safety is upon something so disproportionately owned and managed by for-profit companies. Even worse is the lack of coordination between government organizations.
Develop consistent national regulatory guidance around security standards. While we have logical borders between governments and private-sector organizations, we also have arbitrary security policies to protect the data that crosses those borders. The cliché that "risk accepted by one is risk shared by all" is irrational at the national level, and self-regulation isn't the answer when economic incentives are out of balance. A report by the Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency, said it best, "We believe that cyber-space cannot be secured without regulation."
Expand the National Centers of Academic Excellence in Information Assurance Education program that currently includes 93 centers at colleges and universities across the nation. While "Centers of Excellence" is arguably the wrong title for this program since the term doesn't logically lend itself to such a large number of organizations, the program goals of decreasing the vulnerabilities in the national information infrastructure are appropriate.
The views expressed are solely mine and nothing stated in or implied from the article should or may be attributed to the state of California or any of its agencies or employees.