When Barack Obama was sworn in four years ago for his first term, there was genuine optimism that he would make meaningful improvements to the security of the nation’s critical infrastructure as well as the policies that govern security and privacy in the private sector. After the Bush administration relegated security to afterthought status for much of the 2000s as it concentrated on terrorism and fighting two wars, many in the security community were hopeful things would soon get better. Things certainly have changed, but whether they’ve improved is a difficult question. With Obama’s second term about to begin, there are still plenty of things he can do to effect real change.
The economy, unemployment and health care all are certain to get more of Obama’s attention in the near term, but here are a few things he could do make significant improvements in the security of the nation’s networks.
- Forget the cybersecurity bills. None of the bills proposed thus far contains any provisions that would have any major effect on the security of enterprises or consumers. A key component of most of the current proposed measures is some mechanism to give the government access to private information related to threats and attacks. This is going in the wrong direction. Let’s see the government start publishing its own attack and vulnerability data before it starts requiring access to private companies’ information.
- Change the data breach notification mechanism. Right now there are dozens of stat notification laws, but no national law. With so many state laws, it’s not clear that a national one is even necessary in order to force more disclosures, but what is needed is a change in the kind of information that’s contained in the disclosures. Telling consumers how many people are affected and what data was taken is nice, but it doesn’t help anyone learn from the company’s mistakes. If a national law is in the plans, then include a provision that requires compromised companies to disclose what happened, how the company was compromised, what vulnerability was used and perhaps what methods the attackers used once they were on the network. And make all of that data publicly available to anyone who wants it.
- Get a handle on exploit sales. The federal government is one of the larger buyers of vulnerabilities and exploits anywhere in the world. Intelligence agencies, the military and other groups inside the government regularly buy vulnerabilities from security researchers and use them for various purposes. But there are plenty of other buyers as well, including defense contractors, foreign governments and brokers who may then resell them to unknown third parties. Regulating this market is likely impossible and probably foolish to even attempt, given the players involved and the fact that many of them aren’t in the U.S. But lawmakers and those who influence policy don’t have any idea of what’s happening in this market. It’s a black box. That needs to change, and fast. Regardless of whether any policies or doctrines emerge, it’s important for the people in Washington to get a clear picture of what’s going on and who is involved.
- Go private. There are a lot of young, talented and highly motivated security people working in the private sector who have the skills to help make significant improvements to the country’s network infrastructure. But they’re not going into government service because there’s no money in it. So go to them. Stop trying to put all of the responsibility for securing government and military networks on the Department of Homeland Security or Department of Defense and bring in some of the outside talent that’s available on a contract basis. Learn from the successes and failures of enterprises and put some of that accumulated knowledge to work. And when something succeeds and things work, publish the results so others can learn from it, too.
There are plenty of other things to tackle, and these likely aren’t the same priorities that the Obama administrations would draw up regarding security. But they’re important issues that need to be addressed, and soon.