The New US Cyber Security Initiative: Will it Work?
With President Obama’s becoming the US president comes a widely supported mandate for change His intense efforts to get an economic stimulus package passed have very understandably overshadowed important efforts in other areas, including in the cyber security area. Still, the Obama administration appears to have a strong commitment to improving cyber security, as evidenced by his announcing initiatives such as funding a safe computing research and development effort designed to identify ways to strengthen security in US computers, networks and applications, working with the commercial arena in safeguarding this country’s IT infrastructure, cracking down on computer crime, and strengthening the government’s leadership in the cyber security area. One of the key components of this last initiative is a government cyber security advisor who will coordinate national cyber security efforts. That fact that this person will report directly to the president indicates in many people’s thinking just how serious President Obama is in attempting to improve cyber security.
Although President Obama’s direction in the cyber security arena appears to be very appropriate, becoming overly optimistic concerning the likelihood of success in this area is ill-advised. Why? For one thing, risks have grown far out of proportion compared to the ability of the US government (or any other government, for that matter) to adequately mitigate them. Consequently, even if the Obama administration ends up with a long list of cyber security achievements, the US will still be way behind the proverbial eight ball. Still, getting somewhere is better than never getting anywhere, and late is better than never.
Furthermore, creating the position of cyber security advisor may not do much good. According to long-established principles of information security management, the higher an information security manager reports, the more power and influence that person should have, so having a cyber security advisor who reports directly to the president should in theory be a very big step forward. My not being excited about this prospect comes from what has happened previously in the US whenever some kind of “cyber security czar” position was created. Consider, for example, Richard Clarke, national security advisor for four administrations. He possessed the necessary knowledge and motivation to move cyber security efforts forward and had a sufficiently high and influential position to have sufficient leverage within the government. Yet no president whom he served took his warnings concerning the woeful state of cyber security in the US and the likely consequences very seriously. The same applies to the individuals who have held the top cyber security post within the US Department of Homeland Security (DHS), even though this position was substantially elevated within the DHS organization chart. If anything, people who have served in this position have ended up being the targets of intense and sustained attacks by other functions and organizations. I suspect that a large part of the underlying problem is that fact that it is so difficult to make demonstrable progress in cyber security, especially within the government where devastating politics and bureaucratic bungling create almost insurmountable obstacles to progress of any kind.
In sum, even though the new cyber security advisor will report to President Obama, history indicates that the chances of this person achieving success are low. Should President Obama therefore abandon his plans to create this position? The answer is no, because of this position’s being placed where it is at least sends a powerful message that cyber security is indeed that important. All I am saying is that it is important to realistically gauge expectations concerning the prospect of success. What may in reality be the most significant benefit of the President Obama’s cyber security initiative is the fact that more than lip service (the kind of lip service that previous administrations have given) to cyber security being paid. This in turn is bound at a minimum to build some kind of foundation upon which future administrations can accelerate their attempts to strengthen cyber security.