As we await selection of the Cybersecurity Coordinator, I've had time to ruminate on what I hope he/she would focus upon. The following are what I believe should be top-of-mind for the new Cybersecurity Coordinator:
1. Focus on market incentives. There should not only be incentives for protecting customer data (we've beat that dead horse long enough), but also incentives for software manufacturers to end their long-standing practice of unrestrained vulnerability dumping onto downstream market participants. Incentivize the creation of secure software through a customer-centric signaling mechanism similar to other labeling regimes such as auto-safety, fuel-efficiency, energy-efficiency, etc. If the market cannot "see" security, the market cannot effectively price or supply security. Government acquisition dollars are simply not enough in this situation. Without using the lever of private consumption, which dwarfs government spending by a factor of 5 to 1, the U.S. response in cyberspace will be flaccid and half-baked.
2. Make cyber security a public safety issue. Cybersecurity should be less a law-and-order problem and more a public safety issue. It is tempting and comforting to think that law enforcement (or even the military) can address malicious behavior on the Internet. It can do a degree, but not nearly to the level sufficient enough to disincentivize cyber criminals on a broad scale. Software "runs" our lives. As such, software must be suitable to the task and not endanger citizens through insufficient security design and implementation. A public-safety perspective allows us to focus on incentivizing the few thousand software executives we know by name to make better software rather than on disincentivizing the untold numbers of anonymous attackers located around the globe.
3. Be wary of unintended consequences. As bad as our national cybersecurity might be to date, it can actually get a lot worse if we fail to consider the outcomes. The Payment Card Industry (PCI) standard is but one example of making cybersecurity worse, not better. Prescriptive mandates such as these create an incentive to "race to the bottom" where organizations seek the quickest, least expensive method of becoming compliant. Compliance does not equal security. In other words, prescriptive mandates create the unintended consequences of actually worsening security by nature of the incentive to cut corners and costs; to fill a checkbox rather than confront risk. Prescriptive mandates do not allow the market to aspire to higher security, only burden it further with complexity and expense. The new cybersecurity coordinator should focus on results and desired outcomes rather than on specific controls, rules, or mandates. These are are all lagging indicators of risk and are not forward focused. Focus on results and outcomes and let the market figure out the best way to achieve them.
Hi David, I think you're spot on with numbers 1 and 3, but we disagree on 2. If our adversary were a disease I would agree with the public safety angle. Unfortunately we defend ourselves from criminals, foreign intel operators, and competitors. Public safety won't work in that arena. Great post though.
Posted by: Richard Bejtlich | June 27, 2009 at 06:48 PM