Government Policy | DOI: 10.1145/1536616.1536626
Gregory Goth
u.s. unveils
cybersecurity Plan
‘Intent and timing’ may help the federal cyberspace
initiative work better than previous blueprints.
THe nAtionAl cyBeRsecURity ini- tiative announced by Presi- dent Barack Obama last May follows a decade of similar efforts by the two preceding
administrations—and after a decade
of hearing earnest governmental pronouncements about how vital cybersecurity is, skeptical observers might say
little has been accomplished except to
demonstrate the intricacies of bureaucratic battles in the creation of new
government agencies.
However, crucial differences exist
between the Obama administration’s
cybersecurity efforts, marked by the
release of its 60-day Cyberspace Policy
Review ( http://www.whitehouse.gov/
assets/documents/Cyberspace_Pol-icy_Review_final.pdf), and those of
Bill Clinton and George W. Bush, despite the many similarities, says James
Lewis, senior fellow for technology and
public policy at the Center for Strategic
and International Studies, a Washington, D.C.-based think tank.
“The difference here is in intent and
timing,” Lewis says. “This administration did this in their first few months
in office, and it looks like the president
has an interest in it. The Clinton administration’s Presidential Decision
Directive 63 and the Bush administration’s Comprehensive National Cybersecurity Initiative were both done late
in their second terms and didn’t really
get any traction.”
PhotoGraPh by ManDel nGan / Getty IMaGes
Lewis and security experts Fred B.
Schneider, professor of computer science at Cornell University, and Susan
Landau, distinguished engineer at Sun
Microsystems, say the Obama administration must work deftly if its cybersecurity plan will emerge with more
credibility than its two predecessors.
Among the vital elements they said the
Obama administration’s report contained was recognition that the federal
President Barack obama speaking about the
u.s. government’s Cyberspace Policy Review
at the White house on may 29, 2009.
government must take an active role
in operating cybersecurity policy and
infrastructure; it must balance that active role with a concerted campaign to
protect industry’s ability to innovate in
the creation of new platforms and applications; it must preserve citizens’
confidence that cybersecurity policy
will protect their civil liberties as well
as the cyberinfrastructure; and it must
forge workable partnerships with other
nations, nongovernmental organizations, and technical standards bodies.
Landau says perhaps the report’s
most important indicator of the new
The cybersecurity
czar must be
appointed at a high
enough level to
possess real clout.
administration’s cybersecurity strategy
is a passage in the report’s executive
summary in which the phrase “
national economic needs” precedes “national
security requirements.”
However, the new emphasis adds
more interested parties—the cybersecurity czar is expected to report to
both the National Economic Council
and the National Security Council—
and that may dilute the office’s ability
to craft real actions instead of fighting
incompatible bureaucratic goals. One
of the chief weaknesses of the Bush administration’s cybersecurity policy was
its failure to ensure the cybersecurity
boss was appointed at a high enough
level to possess real clout—and, says
Schneider, that could happen again.
“You have somebody who is no longer just talking to the president. In fact,
whomever they appoint will be a servant of many masters,” he says.
Schneider says finding a way to
bring the foundations of accountability prevalent in law enforcement into
cyberspace “is a big step because cyberspace has had this value system that
is about anonymity. But cyberspace,
when it was constituted, was not constituted with anything of consequence
being controlled or anything of value
being accessed that way.”
“But there is a stupid way and a
sensible way to make cyberspace accountable,” says Schneider, “and if you
use too broad a brush when you bring
accountability to cyberspace, you will
blow it badly. And the people who are
worried about privacy have a reasonable
basis to be worried, because it’s easy to
do it badly, which is why research needs
to be done, and the process needs to be
open and transparent.”
Gregory Goth is an oakville, Ct-based writer who
specializes in science and technology.