Cybersecurity and the question of leadership
The success of the cybersecurity czar is more about the exercise of leadership than anything else, CompTIA policy chief Roger Cochetti says.
So, in the Internet Age, how did we settle on the title of cybersecurity "czar" for the nation's top IT champion, cop, teacher and Cassandra?
Perhaps it was an outgrowth of the energy crisis in the mid-1970s, when the first energy czar, James Schlesinger, was named to help head off impending oil and gas shortfalls. Or, maybe it just sounds cool, tinged with a bit of old-world mystique.
More likely, though, the term reflects its most salient quality--that of leadership. However you view it, the role of cybersecurity czar has as its central job the act of leading the public and private sectors.
Many inside the Beltway and in the tech community took the recent departure of Amit Yoran as a sign that the federal government's protection of our vital Internet infrastructure lacked importance inside the new Department of Homeland Security.
I don't see it that way.
President Bush created the position of cybersecurity adviser, first occupied by Richard Clarke, nearly four years ago. And with its movement into the Department of Homeland Security, those of us who are concerned about America's cybersecurity have been blessed with a strong group of people who have been notable for their tenacity, insight--and lack of large-scale resources.
While the results have been far from perfect, there have been tangible and significant improvements in the nation's cybersecurity directly as a result of their efforts. After 9/11, the office of cybersecurity czar fostered public-private partnerships, leveraged market forces, prodded federal and local governments and, yes, generally used the bully pulpit to drive home the idea that America does not have an option here--that because of our dependence on IT and the Internet, we had better get our "cyberhouse" in order.
Today, it is difficult for many to remember that before Clarke and his successors took office, cybersecurity was considered an obscure area of concern to a small number of people, many of whom were characterized as eccentric. Now cybersecurity is a major topic of discussion in Congress and in the executive branch, as well as in the press. It is also a subject of major attention from both the international community and industry everywhere.
Few government agencies or major private-sector institutions anywhere in the United States, Asia or Europe do not have someone whose job is cybersecurity. Much of this dramatic shift can be credited to the tireless work of Clarke and his successors: Howard Schmidt, Yoran and now Andy Purdy, as well as their colleagues and assistants.
Still, work needs to be done. Spam, phishing, denial-of-service attacks, spyware, worms, viruses, Trojan horses, identity theft and Internet-related fraud have not abated but have in fact grown. Fifty new cybervulnerabilities get identified each week. Internal security abuses in companies and public institutions are proliferating. And SCADA systems such as those controlling the power grid have seen newfound, potentially life-threatening faults, partly as a result of the growing use of IP-based communications for those systems.
This is not to mention even more disturbing phenomena such as recent reports showing the existence of at least one state-sponsored army brigade composed entirely of dedicated military hackers being trained to wreak havoc on American and other Western economies while simultaneously stealing intelligence and trade secrets.
As America confronts these and myriad other cybersecurity challenges, the leadership of the senior federal official responsible for cybersecurity--whether located in the White House, the Office of Management and Budget or the Department of Homeland Security--will continue to be the most important variable deciding success or failure.
Thus far, through various bureaucratic incarnations, the office has done an exemplary job. Regardless of where the czar gets "org-charted," he or she will have as the main challenge the provision of clear, forceful and well-informed leadership--leadership of other government agencies, the private sector and consumers and individual computer users everywhere.
In this regard, I believe this leadership should:
• Continue to eschew the default position of regulation, which tends more often than not to be slow, unresponsive and clumsy in the face of the rapid pace of technological change.
• Keep urging local and federal governmental bodies to make their own cybersystems more secure, enabling them to, among other things, lead through example.
• Keep pushing providers of computer hardware, software and IT services to improve the security of their offerings and to develop more cybersecurity offerings, reducing opportunities for cyberterrorists in the first place.
• Persist with the highly public mantra of cybersecurity awareness, hygiene and ongoing IT professional security training and certification, helping Internet users of all stripes get the training that they need to make our networks safer and more resilient to cyberincidents.
• Foster continued information sharing and the exchange of best practices among all stakeholders, allowing parties to contribute to solutions without the fear of being unreasonably penalized.
• And finally, keep refining the national cybersecurity response system, providing ever clearer processes that can be followed in all circumstances and at all levels of the food chain.
The success of the nation's cybersecurity leader is more about the exercise of leadership than it is about anything else. The insight, tenacity and dedication of that leader will either make us a more secure country in the face of growing cyberthreats, or it will leave us increasingly vulnerable to criminals, terrorists, hostile foreign military forces and vandals.