On Monday, one of the Obama Administration’s heavies took to the Op-Ed page of the Washington Post to fight for cyber security. John Brennan, the President’s senior advisor on counterterrorism and homeland security, published a pretty impassioned piece reminding the Nation that cyber treats are real.
Nearly the entire first half of the article was a reiteration of the magnitude, the sophistication and the detrimental effect of the growing set of cyber threats that face our Nation. Having just been quizzed by a great audience of homeland security practitioners last week as to the existence of such threats (see my last post), it was gratifying to hear such an esteemed leader as Brennan (and no, I am not being sarcastic – Brennan is a patriot who has risked his life in the field and should be trusted when he speaks now) make the same case I have been making for a few years now. I maintain that there is a problem. The sky is not falling folks, but we darned sure need to get serious about facing it.
Personally, I thought we were beyond the debate about the existence of the cyber threat and our need for better cyber defenses, cyber hygiene, training, and public-private info sharing. I guess there are still nay-sayers out there. I sure hope they believe Brennan. (OK, he does get a little more Chicken Little-ish than I prefer, but he is mostly on target.)
He spends the remainder of the op-ed pushing for the Administration’s preferred legislative bill. He points to the President’s proposal from last year, and noted that the Cybersecurity Act of 2012 has bipartisan support (clearly true) and would give the Federal Government exactly what it needs to ensure we can properly protect the nation’s critical infrastructure (still a debatable issue).
Brennan does accurately portray the position of many industry biggies that more of the provisions should be voluntary, but he strongly disagrees that this will be adequate to fix the problems. I liked that Brennan did not try and paint this as a nefarious position on the part of business; he merely said he disagreed strongly.
This seems to be the rub on cyber legislation. Industry wants guidance from the Government, but it wants it broad and with as much flexibility as possible. Others want to lock in the provisions because they are tired of the endless debates and the failures to share information until it is too late to be effective. This is a VERY simplified version of this discussion, I grant you, but it does draw the line in the right place.
What do I think? I am glad to see the Administration fighting for better cybersecurity. Its inconsistent focus on this issue (except for long-suffering Howard Schmidt’s tireless efforts) has not been that much help. We need action, but I, like many others, am concerned that the proposed cure might be more hurtful than the disease. We are getting “beaten up” on numerous cyber fronts (see Brennan’s article), but we are still making grand innovations, still leading the world. Thus far, the benefits have been worth the costs. Those costs however, are growing. We need to find a way to disincentivize the bad guys and foster better security practices without cutting off innovation, harming privacy, or sinking productivity.
Will any of the presently proposed cyber legislation packages do that? One hopes so, but as yet, the jury is still out.