Friday, March 18, 2005
A Modest Proposal, Redux
While there are some elements of sense in the article, others are merely hysterical, to wit -
Hire a Czar
A surgeon general-like figure for security is not only a Big Idea; it's a popular one. Several folks suggest creating some kind of "government leader" or "public CIO for security," none more vocally than Paul Kurtz, the executive director of the Cyber Security Industry Alliance. "We need more leadership at a higher level of government," he says. At the Department of Homeland Security, he says, cybersecurity has been buried, and he believes DHS should have an assistant secretary-level person for cybersecurity.
At press time, that proposal had been floated but didn't make it into the intelligence reform bill. Meanwhile, a succession of notable leaders for cybersecurity resigned from their DHS posts—some suggest because of frustration over the low status of the role within the agency. Congress even explored the possibility of moving government oversight of cybersecurity from DHS to the Office of Management and Budget.
"Somehow, the surgeon general has this special place with us," says Scott Charney, chief security strategist of Microsoft. "We don't have the focal point in security that health care gets with the surgeon general."
One of the surgeon general's best-known successes is found on the side of cigarette packages. The smoking analogy cropped up repeatedly with big thinkers. Once upon a time, society believed that if you chose to inflict harm on yourself by smoking, you were free to do so. The concept of secondhand smoke changed that equation and now smoking is anathema in many public places.
Networks are no different than smoking in the sense that your bad security habits can adversely affect innocent bystanders. Online, in fact, it may be worse since the secondhand smoke of cyberspace doesn't dissipate with time or space. It debilitates every machine it touches equally, as if everyone was forced to take a drag.
We propose a high-profile surgeon general for information security, who reports to the secretary of DHS. Imagine labels on software like those on cigarettes—Infosecurity General's Warning: The use of software and hardware that is not certified secure can harm your system and other people's systems, and you may be held liable for those damages.
Oh brother. All together now, "I'm from the government and I'm here to help". Perhaps the last time the Surgeon General actually did something was the cigarette labeling issue, and for crying out loud, that was before Cream broke up. The Surgeon General is a public policy harrumpher that in general has been stunningly ineffective due to the partisan politics (neither Koop or Elders did anything worth a damn except pontificate, and not all that well, either).
And who in the industry is going to play Surgeon General, or for that matter, capi di tutti di capi to the kingpins of the industry? Gates, Palmisano, McNealy, Chambers and their peers are not about to surrender any of the hard-won territory nor intellectual property to control of a government czar. Czar-hood usually doesn't do a heck of lot of good (ask the Romanovs, ha ha) other than it gives one single person the ability to act as a lightning rod for criticism from all sides. Can you imagine if a government czar will suddenly have to start approving RFCs?
There's quite a bit more in this article worth dissecting. The gist of it is to start regulating computing, an idea which scares the hell out of me as a technologist, a free-markets supporter and a conservative. We'll take more of this up tomorrow....
All excerpts from CIO Magazine are the property of their respective owners, and are quoted only for fair use purposes.