I feel like a non-Ivy League version of Prof. Paul Krugman whenever I complain about the absence of a national plan for securing the Internet. I don't have the doctorate, but I have plenty of ideas that I want to share with the White House. And like Krugman, I often think the White House hasn't gone far enough or I resign myself to the fact that, without some terrible disaster to spur us into action, we'll never get the level of Internet security we need.
But this time I am impressed. If you haven't read Obama's Cyberspace Policy Review [pdf], then you probably don't know what I'm talking about. Regardless of your politics, this is easily the best mission statement on the subject I've ever seen. Kudos to the Office of the White House and all of the people involved in creating this document. I thought the U.S. government would never get it, but they do!
[ Keep abreast of IT security news by subscribing to InfoWorld's free Security Central newsletter. ]
Plan of action
You don't have to read all 76 pages to get the picture. The Executive Summary and the Near-Term Action Plan at the beginning of the document are enough to tell you that this isn't your father's Internet security plan.
I'm so used to government failures (see CAN-SPAM Act or the multitude of Data Protection Act attempts) that I just assumed the government would never get on the right page until we came face to face with overwhelming cyber destruction. One-third of U.S. adults have had their credit card or online identity stolen. No one bats an eye when 1 million identities are stolen in a single online heist -- it isn't even news anymore. One-half of home PCs are infected by malware each year, and Web sites are compromised by the tens of thousands each night. Legitimate Web sites (e.g. www.foxnews.com) are often the ones (inadvertently) hosting the worst malware. Foreign hackers are infiltrating protected government networks like they are Swiss cheese, and the most popular social Web sites are hotbeds of malicious activity. Corporate espionage is almost a norm. Paris Hilton's smartphone is compromised seemingly every week, and the latest revealing photos struggle to find space on the already crowded pages of TMZ. How bad did it need to get before we tried something different?
Obama and his administration have responded, and I applaud them. The Cyberspace Policy Review is a great start.
I hope the White House knows that the Internet can be made significantly more secure by using existing, widely deployed protocols, as I have stated in my "Fix the Internet" whitepaper (see "This Internet fix is no pipe dream"). All we have to do, as a global Internet society, is to agree on the fixes (including pervasive identity and accountability) and the values that need to be populated in the multiple community-based service tables. The community-based tables hold trust rating values that indicate who has what particular level of trust.
Fixing the Internet isn't rocket science. All the planning could be done in six months to a year, with real products and complete legacy support coming out six months later. The hardest part is putting the right people together in the same room and working toward a common goal.
I hate to paraphrase the document, but for those of you who don't have the time to read the first few pages, here are the main elements of the Cyberspace Policy Review:
- Cyberspace policy will involve government, private, and public participation
- Cybersecurity is one of Obama's key priorities
- The president will appoint a central cyber director (what level in the executive reporting structure is an important detail still to come)
- The president will also appoint a civil liberties and privacy ombudsman to protect individual rights
- The policy will include a plan for managing online identities
- The policy will provide inter-agency guidance and impose new accountabilities
- The policy will include an incident response plan
- There will be provisions for end-user education
I know Obama didn't write the plan himself, but it obviously has his stamp. I'd like to meet, interview, and work with the key document developers. The document seems to consider most of the public and private interests that need to be addressed. It's truly a dream of a policy document.
Obama's plan doesn't include technical details, nor should it. But it does put together, for the first time, a framework and series of steps that can lead to a more secure Internet. Some readers may find this column too gushing with rose-colored compliments, but after two decades of blinders, apathy, and worse (special interests guiding legislation), a White House initiative toward a real plan for Internet security is no small event. I'm sure there are flaws, and the process won't be smooth, but at least we have a line in the sand. Today, there's a little extra spring in my step.
This story, "Obama's Cybersecurity Dream Could Come True" was originally published by InfoWorld.