How to Fix US Government Cybersecurity Initiatives?

by Ming Chow

Related link:

The news couldn't be any worse this week for technology happenings directly relating to the US Government.

Back in October, Amit Yoran left his post as the National Cyber Security Division, part of the Department of Homeland Security (DHS).

Now only several months since the October incident, another prominent member of the National Cyber Security Division, Robert Liscouski, announced his resignation earlier this week.

Add on the news of the FBI leaning to shelve it's multi-million dollar file sharing software (Virtual File Case) to combat terrorism.

All this news makes the cloud on government-related IT ventures only darker.

Now I am not going to rip on "what is wrong?" I am not even going to go there. I do want to ask a very simple question: will cybersecurity be properly emphasized and respected, if ever?

Some things I know for sure:

  • Throwing money at the cybersecurity problem isn't going to work.

  • Sure, we are all concerned about terrorism, and nuclear proliferation. But a cyberattack on some of our power plants and other utilities is also devastating (recall the massive blackout in the Northeast a while back).

Some other things I know:

  • Cyberattacks, including viruses, spyware, worms, and Trojan Horses are becoming more sophisticated and lethal.

  • There is a plethora of public tools funded and sponsered by the US Government including the Common Vulnerabilities and Exposures database (maintained by MITRE) and various communications by the US Computer Emergency Response Team (US-CERT)

  • In general, the public doesn't have a clue on cybersecurity. The number of infested, flawed, and buggy computers and software is mind-boggling.

  • Crackers broke into the T-Mobile network, and e-mails belonging to the Secret Service were read, along with other highly sensitive files. This was another woe that was announced this week. I think this issue is big enough to make the government understand the importance of cybersecurity.

  • There are companies that are helping out in this problem (e.g. Microsoft and Symantec).

There are lots of unknowns as well, for example, what are the upcoming projects and goals of the cybersecurity division of the DHS?

I am very passionate about these issues, and I hate reading such woeful stories in the news. I may not have all the answers to solve "the problem," but I can offer some pointers and considerations for the Cyber Security Division to think about:

  • VISIBILITY! Announce and promote current initiatives, upcoming projects, and breaking news to the public. Right now, the group look so buried under all the bureauocracy.

  • I think one of the biggest problem in moving forward and explaining all the issues to the public is that the public is too scared. Well, you have to be honest with them and demonstrate the vulnerabilities (which is not too difficult to do if you have a PC on the network).

  • Ask yourself: are you too decentralized to achieve your goals? If so, would it be ideal to hand off the powers to a roundtable of security experts/firms?

  • Consider a standard channel of communication/announcements (although I admit this will be nearly impossible). Right now, the public is bombarded with information from various sources and companies on problems and most importantly, on what to do. This is not necessarily a good thing. Have all the sources and companies send major announcements to one integrated channe so people will know where to get the latest information. It will ultimately lead to important "visibility" of the division.

Of course, the ultimate goal is to get people to care, which seems to be light-years away.