This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/060209bradner.html

Cybersecurity: What will the attention span be this time?

Will Obama cybersecurity initiative have anything other than a good start?

'Net Insider By Scott Bradner , Network World , 06/02/2009

The idea that the White House would be interested in cybersecurity is not new. At least since former President Bush appointed Richard Clarke as National Coordinator for Security, Infrastructure Protection and Counterterrorism there has been some level of attention to this topic. But this attention has seemed to fade quite quickly after someone is appointed to a high-level cybersecurity czar-like role. Most people who have taken on that role have quickly quit in frustration. (See Insecurity (or is that frustration) at the top and Resignation exposes opposition to NSA cybersecurity role.)

We can all hope that the results will be different when President Obama completes the start-up of the White House's latest cybersecurity initiative by appointing a cybersecurity coordinator.

The president said lots of good things when he revealed his cybersecurity plans last week.

He announced the release of the 60-day cyberspace policy review and aired "a new comprehensive approach to securing America's digital infrastructure."

He announced a five-part approach:

* Treat the U.S. digital infrastructure as a "strategic national asset" and appoint a cybersecurity coordinator who will have "regular access" to the president.

* Work with state and local governments as well as the private sector to ensure an "organized and unified response to future cyber incidents".

* Collaborate with industry to find technical solutions that ensure our security, but "will not dictate security standards for private companies".

* Invest in research.

* Promote cybersecurity awareness and digital literacy.

He made a point of saying that the cybersecurity plans will not involve monitoring private sector networks and that he is committed to net neutrality to "keep the Internet as it should be -- open and free."

He said lots of good things, but there will be a lot of opportunities to have this initiative wind up as the prior ones have -- window dressing that does not even successfully hide the real cybersecurity problems facing the country and the world.

The administration's plans seem to mostly come from the 60-day cyberspace review led by Melissa Hathaway, the cybersecurity chief at the U.S. National Security Council. There is also a lot of good stuff in this report. But there are parts I do worry about.

The report includes a table listing a 10-point near-term action plan. Most of the plan is reflected in the president's announcement but a few parts did not make it. For example, the report calls for the designation of a "privacy and civil liberties official," but the president did not mention that point.

I do worry about the report's call for a "cybersecurity-based identity management vision and strategy." In spite of the report's good words about addressing privacy and civil liberties interests, I find it hard to see how any system of identity management will not wind up with someone being able to keep track of who is doing what on the Internet -- a wonderful prospect to repressive governments and some law enforcement officials -- but not so wonderful to anyone with a legitimate need for anonymity. ( See The Right To Speak Incognito and Conversations in cyberspace?)

As a longtime participant of the IETF I also worry about the report's push to bring together "like-minded nations" to worry about technical standards for the Internet. The Internet got to be the innovative powerhouse it did mostly because we did not have governments deciding what standards would be good and what would not. Few governments would have supported anything like the Internet if they had a chance.

Clearly something needs to be done about the appalling state of what passes for security in the country's cyber infrastructure, but I do have a big worry about the baby vs. bathwater ratio of what this initiative has in mind.

Disclaimer: Many people at Harvard work on ratios of some type of good vs. some type of bad but I know of no university opinion on the balance in this report or initiative, so the above exploration is mine.