Friday, May 29, 2009

Does the U. S. Need a Cyber Czar?

On Friday May 29, President Obama is scheduled to announce a plan to name a “cyber czar” whose responsibility will be to oversee computer security both in and outside the federal government. The term “czar” in Russian originally meant an emperor whose reign was maintained by the authority of God. Somehow I doubt that such overtones of meaning are intended by the PR people who put together these news releases and the members of the press who report them. But it is a good place to start asking whether the U. S. really needs such a czar for this increasingly important area of technology, and what the good and bad aspects of such an appointment might be.

From time to time we have discussed various cyberthreats in this blog, and so far, none of them have turned out to be the Armageddon of viruses or cyberattacks. The trend in recent years, however, is not reassuring. Back when email was a novelty engaged in by a few nerds and their friends, the worst motivation of those who wrote viruses or produced spamware was a kind of intellectual mischievousness: “Gee, can I really get away with this?” But eventually, people figured out there was serious money to be made, either quasi-legitimately via spamware advertising of kooky products, or illegally via shakedowns and blackmail threats (“If you don’t want your whole website to go down next Tuesday, leave $100,000 in unmarked bills in the trash can next to the entrance of the Kremlin tonight.”). And in the last year or two we’ve seen pretty definite evidence that nations are using cyberattacks as part of more conventional warfare, as when Russia evidently coordinated a cyberattack on Georgia’s government websites last August during its attack on contested territory between the two countries.

So the threats are real, no doubt about that. The question is, can we defend ourselves better against them if we have some centralized governmental authority taking some as-yet-undefined actions? That question has to be answered in the context of how things are done currently.

Like the Internet itself, the U. S. system (if you can call it that) of defense against cyberattacks consists of a not very organized, highly distributed network of specialty firms, companies who simply want to use the Internet legitimately without hindrance, and the various governmental entities who use computers, which is (I hope by now) all of them. Judging by various reports, the private firms seem to do a better job of security and upgrading, including defense against attacks, than the government does. But this may simply be an artifact of accessibility. Reporters can file requests under the Freedom of Information Act to obtain a wide variety of government records, but there is no such privilege with regard to the internal documents of private firms. So if (to take an example) Bank of America makes a big goof in purchasing vulnerable ATM machines that can be programmed to spurt out piles of twenty-dollar bills to a waiting kid on his tricycle, as long as they catch the problem and fix it before it hits the news wires, no one is the wiser. But let that happen in a government agency, and reporters can get all the documentation on it they want, usually.

That doesn’t mean the government is necessarily less competent in dealing with cyberattacks. One danger I can foresee is that of burdensome regulations in what is historically a very unregulated industry. If Microsoft had to prove to some government bureaucrat that its new software upgrade is bulletproof against cyberattacks before it could be released, we’d all still be running OS/2 on our PCs (except for those of us using Macs). But the advance reports indicate that the new cyber czar won’t have even the authority of a cabinet official, nor Presidential access of the highest level.

So if the new czar can’t do much, why should we bother? One aspect of the situation appears to pertain to public education. I suppose if the President talks about what you as an individual can do to improve computer security, a certain number of people will pay more attention, but it does seem like it might be a needless expenditure of political capital. On the other hand, if we are made aware of the cost of cyberattacks in terms of centrally analyzed statistics publicized by the government, that might motivate some changes.

This problem resembles environmental issues in that it is essentially a global, not strictly a national matter. The Internet knows no boundaries, and in fact many if not most cyberattacks on U. S. institutions come from abroad. That means a solution, or more likely a range of solutions, will have to have international aspects to it: international agreements, international coordination, and so on. And for this the federal government is probably the best choice.

In sum, let’s wait and see how czar-like the new czar acts. There is no need to worry that the designee will take over the universe, even the cyber-universe. And there is a lot of room for improvement both in the public and the private sector. But government can do only so much, and it will be interesting to see whether the person chosen makes a positive difference, or disappears after the next federal initiative grabs all the headlines.

Sources: An Associated Press article describing the results of a Presidential study of cyber security and related issues can be found on the Business Week website at My blog “War Comes to the Internet” was posted on Sept. 8, 2008.

No comments:

Post a Comment