Protecting The US From Foreign Hackers Tue 30 Dec 08

A recent Op-Ed piece in the Houston Chronicle, "U.S. must update laws defending against foreign hackers" caught my attention.  Congressman Jim Langevin (D-RI) and Congressman Michael McCaul (R-TX) wrote the piece in concern about foreign threats to our information technology systems and made some suggestions on possible improvements.  Although not in total agreement I do think they make some excellent points.

First, however, I feel the need to comment on the emphasis on foreign threats.  Putting the argument in terms of a "foreign" threat smacks of sensationalism and xenophobia.  If an American hacks my computer and steals my personal information I find no comfort in the fact that the thief wasn't a foreigner.  Cyber security is an issue of real significance.  Let's not trivialize it with sensationalism.  The bottom line is that a threat to cyber security is an important issue regardless of where that threat originates.

Langevin and McCaul get to the heart of the issue nicely when they say:

"Our national leaders have been far too slow to understand the scope and significance of this threat. America's laws for cyberspace are decades old, written for primitive technologies in a less-connected era. Our bureaucracy is organized for an industrial age. We are not prepared to meet the threats of the 21st century."

They then make a suggestion with which I whole-heartedly agree:

"We would begin by announcing a national cyber doctrine, declaring the cyber infrastructure of the United States to be a national security and economic asset that requires protection using all instruments of national power —diplomatic, economic, military, law enforcement and intelligence."

In a previous post I had suggested that President-Elect Obama's new CTO role address the issue of data security and use the bully pulpit to frame the debate on this and lead the way based on sound technical reasoning.  Although we agree in principal, I'm not sure that I'm ready to sign-up for Langevin and McCaul's specific suggestion of creating a National Office for Cyberspace.  Their reasoning is that "many people and agencies are responsible for securing pieces of cyberspace, but nobody is in charge of the overall vision."  While this is no doubt true I'm not sure adding another bureaucracy into the mix will help.

As they indicate there are already people and agencies in place to deal with this important issue.  I believe what they lack is resources and funding, jurisdictional authority, and leadership.  To me it would be better to fix these issues than to start another overlapping bureaucracy.  I realize that Washington often goes for the solution that appears to be doing something than actually accomplishing something.  No doubt the logic is that it helps your re-election efforts to say you helped create a new government agency rather than getting an existing on on track to actually improve cyber security.

It is interesting to note that the title "U.S. must update laws defending against foreign hackers" would seem to imply that we need laws against this activity.  This is similar to thinking laws against stealing cars prevents auto theft - if so we why do all still lock our cars?  To be fair to the authors I don't know if they actually wrote the headline or an editor did that.

I hope this isn't the authors thinking and further reading into the body of the article gives me some hope.  They believe that "new collaborative regulatory model that espouses sensible regulations, combined with incentives, will result in stronger cyber security throughout the private sector."  I'm interpreting this to mean they are going to work on regulations to prevent hacking from happening more than trying to punish hackers after the fact.

I would hope this office (be it the proposed new office or an reconstituted existing agency) focus on raising awareness of the issue and getting the government and private sector to take proactive approach to preventing hacking rather reactive measure.  Any new regulation should be aimed at encouraging this type of behavior similar to the HIPAA and Sarbanes-Oxley regulations. 

At the same time they would also do well to study these to impacts of HIPAA and Sarbanes-Oxley to avoid some of their pitfalls.  The last thing we need is  more"security theater" similar to much of what the TSA puts us through at airports.  Check out security expert Bruce Schneier's blogfor a number of articles on how many of the TSA activities while well-intentioned are useless in terms of actually making us more secure.  Perhaps we need to draft Schneier to head-up this effort.

Langevin and McCaul's recommendations are part of the final recommendations of the Commission on Cyber Security for the 44th Presidency.  The fact that such a committee exists coupled with President-Elect Obama's promise to appoint a CTO are good signs that information technology and data security will get some needed emphasis in the coming years.

Please leave a comment- I'd love to hear what you think we need to do to improve cyber security.

"Hackers" photo by José Goulão

If this topic was of interest, you might also like these:

• What Obama's CTO Should Do
• The Un-Marketing of IT
• Outsourcing Your Reputation
• Or the posts in the "Strategy & Management"  category.