After a year of alarm and hype, cybersecurity has finally made it to the top of the Obama administration's to-do list. President Obama, introducing a new report on U.S. cybersecurity in a speech on Friday, said cybersecurity represents "one of the most serious economic and national security challenges we face as a nation."
The White House has even produced a web video and blog to help sell the new initiative.
However, while many experts applaud this new focus as vital to protecting critical U.S. infrastructure and economic institutions, some analysts have noted that the report fails to answer many key questions, contains a number of inconsistencies and possible inaccuracies, and generally exaggerates the threat to the country.
"It's a plan for a plan," said O. Sami Saydjari, chairman of the Professionals for Cyber Defense. "Given how bureaucracies work, they tend not to come up with bold plans in 60 days. The hard problems have yet to be grappled with."
Other analysts have gone much further in their criticisms of the report. George Smith, a senior fellow at Globalsecurity.org, said "it's set up to look remarkable, but it's only remarkable because it has an urban legend at the center of it." Smith was referring to a section in the report that repeats a questionable CIA claim about an Internet-based attack causing a multi-city blackout. While that may be far-fetched, online attacks has indeed played an important strategic role in recent conflicts, most notably in Russia's skirmish with Georgia in South Ossetia.
The report presents the results of a 60-day review of cybersecurity policy commissioned by the President shortly after taking office. The review, which was led by former Department of Homeland Security cybersecurity head Melissa Hathaway, involved interviews with dozens of experts in government, private industry, and academia, in an attempt to formulate a strategy for uniting America's uncoordinated cyberdefense efforts.
Currently, every government agency has different cybersecurity policies and activities. According to Saydjari, the lines delineating different cyberdefense responsibilities between various government, intelligence and military departments are "drawn as clear as mud."
In general, even analysts who support the expansion of cybersecurity efforts lamented the report's failure to answer the most important questions.
In particular, the report did not address which agency takes the lead in the case of a massive attack, or venture any estimates about the cost of implementing the recommendations. At times, the report even fails to maintain basic consistency within itself, listing the cost to the U.S. economy from cyberattacks as both "hundreds of millions" and "as high as $1 trillion," a difference of three orders of magnitude.
"The report that went to the President was a lot stronger than the report that came out of the President," said Martin Libicki, the author of Conquest in Cyberspace and a senior policy analyst at the Rand Corporation. Libicki attributed the weakness of the language in the report to National Economic Council head Larry Summers's desire to avoid firm commitments to projects he saw as overly expensive with little payoff.
Additionally, the report does not address whether or not the cybersecurity czar President Obama hopes to create would have any control over budget. That lack of budget control felled former-President Bush's attempt to create a unified cyberdefense command in the Department of Homeland Security.
Furthermore, both Libicki and Smith claim that the report exaggerates the threat faced by the U.S. from cyber attacks.
"Public education about threats seems to be a big thing in this report, and in this case, public education mostly means fearmongering," said Smith. Libicki echoed that sentiment, noting that the damage done by cyberattacks pales in comparison to the other problems currently afflicting the U.S. economy.
Of course, there are some elements of the report that have been universally applauded. In particular, the creation of a cybersecurity czar position within the White House, and the placement of the czar on both the National Security Council and the National Economic Council, should help to rectify both the lack of focus and the influence problems that plagued previous cybersecurity directors.
"Having the cybersecurity coordinator involved with the National Economic Council, as well as the National Security Council, is a very important step," said Scott Borg, Director and Chief Economist of the U.S. Cyber Consequences Unit, a non-profit founded by the U.S. government that now independently consults with the government and businesses. "By defining the job in this way, President Obama is recognizing that economics is central to cybersecurity."
All the analysts also agreed that this report is just the beginning. With the report punting on many important issues, and the cybersecurity czar position currently sitting unfilled, the debate over U.S. cybersecurity policy has just begun.
"We're in the process of throwing the steak in the shopping cart," said Libicki. "We haven't even gotten to the grill yet."
Does anyone else get the feeling that we have a bumbling narcissistic schoolboy in charge of our country? I knew it would only be a couple of months before the high hopes were dashed. How about bringing the troops home? How is that working out as we increase the number of troops overseas, just in Afghanistan and not Iraq. I guess it was not a total lie, he is bringing the troops home, to send them (and more) to Afghanistan. Anyone else see the "tell the people what they want to hear to get my way" schoolboy mentality here? Don't get me wrong, I believe in this war and agree with the increasing of military presence to see this through. What I have a problem with is the lack of honesty.
That was always one of the things that worried me about the entire Obama campaign premise of "vote for change." Change in what? Everyone heard "we need change" and automatically equated that to whatever change they personally thought the country needed, without taking into account the ambiguity of that statement.
Besides, some things never change; regardless of the party in power, there is still a politician in office.
Read a good book regarding hacking called "Hacker Cracker." I'd recommend reading it as a fun read.
I think cyber security would be best placed under homeland security. It should be seen more as a tool and not a function of the government. The only benefits I can think of for connecting cyber security directly to the President (other than a headline) is for nefarious political gain (and not necessarily for just the current administration - think Nixon/Ted Kennedy).
I would appreciate more discussion on this topic.
Why do we call it a cyber security czar? What is this Russia?
Anyway, I would rather have the "bumbling narcissistic schoolboy" in charge than the old stubborn teacher incapable of learning(McCain). And as compared to Bush, Obama is neither bumbling or narcissistic, listening to a single speach of each would confirm that.
Czar - because we have so many do-nothing jobs in Washington that we have run out of English titles for them.
Bumbling - a fair claim against someone trying to do so much in so little time. This is partly his fault for biting off more than he can chew. This is partly his virtue, because he actually is attempting to do what he promised in the campaign. By the way, in the campaign, he did say that he would reduce troops in Iraq and incress them in Afghanistan. Repeatedly. The only part he isn't keeping is getting out the troops by his promised deadline. Instead he is going by the preexisting deadline worked out between Iraq and the Bush administration before he took office.
Narcissistic - Well, when the media tells you you are great 24/7 and so many worship you like a savior, of course you are going to be a narcissist. At least it seems that someone has finally told him that we don't want to see his boring press confrences in prime time.
Schoolboy - Yup. Lots of education and headsmarts, not much practical experience. Dreams bigger than his pants can fill. Thus, his foriegn relation woes (coming across like an effiminate European diplomat).
Last I checked, didn't we put the Internet under the Air Force? They should be in charge of cyber security and cyber war, as no body else will likely look at it as strategically or offensively as they. Also, until we are willing to change our laws and policies to go after cyber criminals (borderless crimes require borderless laws), then all we are doing is playing defending ourselves.
Mabye if they didn't use such a widespread vulnerable OS, they wouldn't have these problems..... also, hardware firewalls and quantum encryption. how hard is it?
Linux-Don't fear the penguin
A lot of people want to know How Obama Got Elected. How Obama Got Elected is also the title of a documentary by John Ziegler, whose film purports that he was elected because the mainstream media was mean to Sarah Palin. It has been suggested that Obama was elected was via a process called voting – which has not occurred to Mr. Ziegler, who isn’t famed for intellectual prowess – and on a recent interview with Contessa Brewer on MSNBC, his microphone was cut due to his refusal to not act like an idiot. Many would give big cash advances to make How Obama Got Elected to go away and Ziegler to shut up. Visit http://personalmoneystore.com/Cash-Advance/ for more info.
The biggest danger when it comes to cyber security are the users and not some hackers and similar. I mean, educating the users about how to deal with their environment and what the possible outcome is if they do something they shouldn't (e.g click on an unknown link in the e-mail or download and execute files from untrusted resources). In other words, stop focusing on the software and start to educate the users...