Home > Uncategorized > Bush’s Executive Order on Cyber Security: Will it Do Any Good?

Bush’s Executive Order on Cyber Security: Will it Do Any Good?

Several weeks ago President Bush signed an executive order, National Security Presidential Directive 54/Homeland Security Presidential Directive 23, thats is intended to improve cyber security within the US government by mandating monitoring of US government networks. The order, which provides an unspecificied, but presumedly huge amount of  funding, stirred up no small amount of controversy. Critics complained that the order calls only for monitoring, not up-front security measures, and as such they have predicted that this order’s provisions will do little if anything to genuinely improve cyber security within the government. The fact that the public sector was excluded, even though the public sector is a critical part of the critical national infrastructure, triggered additional criticism. To top it off, privacy advocates have pointed out that the order will result in what will effectively amount to yet more government spying on individuals.

Although the real motivation for putting this new executive order in place is not certain, a few hypotheses seem extremely plausible. First, most US government agencies have not gotten very far in their efforts to secure their systems. US government systems are among the most vulnerable in the world to attacks, as shown by the plethora of security breaches (in many of which sensitive and even classified information has been compromised) in these systems over the years. Security within agencies desperately needs to be improved, and monitoring is likely to help. Second, the many widely publicized incidents in these systems have caused considerable embarrassment to the President, who has ironically strongly advocated fighting terrorism and bolstering national security while until recently doing little to improve the protection of systems that can be used for sordid purposes by terrorists and other enemies of the US. Third, the government as a whole is to a large degree in the dark concerning what is actually going on with respect to cyber security within each of its agencies. The lack of central monitoring capabilities as well as failure on the part of agencies to report incidents are two of the major causes. Once again, monitoring is likely to help.

I have mixed reactions to the latest of a series of US government cyber security initiatives. On one hand, someone or some group of individuals within the current administration seems to genuinely understand the high level of risk that US government systems currently face. Furthermore, the fact that a tangible solution has been proposed and that the executive order will result in a substantial amount of funding to try to get the job done is quite encouraging. Finally, although some have criticized the post-hoc nature of the measures called for in the executive order, monitoring, if done correctly, can prove extremely effective; it enables technical staff members who monitor to quickly spot security-related breaches and respond to them, thereby effectively containing the potential damage and impact. On the other hand, the current executive order is just one of many such massive cyber security initiatives that the government has undertaken over the years. I honestly do not recall any even partially successful such initiative because of a combination of big egos in high places within agencies, irrational political games, bureaucratic bungling, and squandering of programmatic funds. Even much smaller scale efforts, such as NASA’s previous initiative to centrally monitor network activity at all NASA sites, have failed miserably. Remember—those who do not heed the lessons of history are doomed to repeat it.

So the question remains—will Bush’s executive order on cyber security do any good?  My guess is that despite the odds, it will do some good. If nothing else, it should help the Department of Homeland Security (which has been assigned the responsibility of doing the monitoring) become more aware of the kinds of attacks and security breaches that government agencies actually face. At the same time, however, at the end of it all when the costs versus the benefits are weighed, the costs are likely to far outweigh the benefits.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.