by adam on December 23, 2009
Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.
There are important things which you can achieve which are aligned with President Obama’s agenda and orientation that aren’t in the current strategy to secure cyberspace. They’re opportunities which have arisen in the last few years to increase transparency and accelerate new research that’s focused on security outcomes, rather than process.
Over the last 5 years, in the wake of California’s 1386 and ChoicePoint’s big breach, we’ve learned about thousands of security breaches. We’ve discovered that most of our fears don’t come to pass. Companies don’t go bust, and customers don’t flee. It’s time to embrace transparency, and admit that we all have security failures. Only by studying what goes wrong can we really expect to improve. So the first step is to de-stigmatize failure. That’s not to say accept failure, it’s disclose them, discuss them, and focus on what we can improve. You can set the right tone from your bully pulpit.
Next, as the nation’s cyber-security advisor, you’re in a position to push the heads of the federal agencies to open up about what they’re doing and how it’s working out. The data is already being collected by US-CERT, it’s a matter of transparency. Of course, some subset of the data will need to be appropriately redacted, but let’s embrace a need to share in information security. The President has committed to getting our data online, let’s make sure security data is included on Data.gov. (I’ve already sent a request for this to data.gov) As you work to expand public-private partnerships, why not start by sharing the data that the government has? It could reset the tone of the conversation. You can also support the non-profit Open Security Foundation‘s work on DatalossDB.org. The value they deliver on a volunteer basis is amazing, and the amount that would be required to take that to the next level by making it their day jobs would be a rounding error for any of the folks you’ll be working with daily.
Finally, I’d urge you to evolve our nation’s security research agenda. There are many smart, dedicated people working in information security. Many have been promoting approaches which have yet to take hold. You must bring new voices and perspectives to research. Emergent fields like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.
Each of these steps can be taken with your budget and authorities. Together, they’ll transform cyber security into an empirical, effective and outcome-centered discipline, and that would be an amazing legacy for any leader.