Simply put, there are three major areas of challenge for the Government and the Nation as we confront cyber security: an organization manifestly unsuited to addressing this problem, a set of policy authorities and laws which were designed to deal with problems from the previous century, and a requirement to balance the tension between security needs on one side, and privacy / civil liberties and commerce / innovation on the other. While they are only three, this is a daunting task.
Cyber security requires an overarching, systemic approach if it is to be mastered. It is not amenable to a solution that is fragmented among separate organizations or sectors. The beauty and power of the cyber realm is its ubiquitous connectivity. That same connectivity is also its greatest danger. If all entities are connected, all an adversary needs to do is to attack the weakest link, and he has a foothold, and an advantage against all. Right now, our federal system is badly fragmented, with every department and agency going essentially its own way. They control their own budgets, and decide on their own solutions. There is no uniformity of standards, and no impetuous to develop any. The authority and responsibility to protect different parts of the Cyber world is also split. This organization and these authorities were designed for an age that has been superseded by technology. It is not enough to protect the Department of Defense or the Intelligence Community, and leave the Departments of Health and Human Services and the Interior wanting. Nor is it acceptable to protect Federal players while allowing the State and Local governments to find their own way.
Our system of departmental budgets, IT policies, driven by smaller and smaller sub-entities has produced so many exploitable seams that an enemy has a multitude of potential vulnerabilities from which to choose. No one department can direct the others to “get in line”. In the absence of a complete over haul of the American governmental system, we need an alternative to the fragmentation. This balkanization has driven a call for a strong hand of leadership inside the White House It is a justifiable desire, and our only real choice.
On the legislative side, the story is much the same. The Congressional committee system was built around the Executive branch organization. So, we have a completely disjointed legislative process that exacerbates the dysfunctional approach to Cyber. Individual Legislators and their staffs grab hold of specific issues or parts of issues and run with them. There seems to be little regard to past successes or failures, and less about how their bill might integrate with existing policy or other legislative efforts. This adds to the disjointed and piecemeal effort. Often, what was meant to be a solution actually compounds the problem. This obviously will be more difficult for the Administration to control. If they can better synchronized the Executive branch elements, it will mitigate this aspect.
The third challenge is the very difficult tension between what constitutes adequate security, and the protection of privacy and civil liberties, and the promotion of legitimate commerce and innovation. Presently many citizens see the complete freedom and anonymity of the Internet as they know it as an inalienable right. Businesses have leveraged off shore development and manufacture of computer components and software to give us the affordable and innovative technology that fuels the development of our cyber civilization. Everyone agrees we need more security, but no one wants to give up anything for it. Any government solution must account for these tensions. Presently we just face each other and no one gives an inch.
All three of these challenges are acknowledged the 29 May report, and the President’s remarks. They constitute the crux of the cyber policy debate today. How has the Obama Administration chosen to address them? A quick review of the new policy provides the beginning look and where they want to go.