A Sample Security Agenda for Obama’s Second Term

When Barack Obama was sworn in four years ago for his first term, there was genuine optimism that he would make meaningful improvements to the security of the nation’s critical infrastructure as well as the policies that govern security and privacy in the private sector. After the Bush administration relegated security to afterthought status for much of the 2000s as it concentrated on terrorism and fighting two wars, many in the security community were hopeful things would soon get better. Things certainly have changed, but whether they’ve improved is a difficult question. With Obama’s second term about to begin, there are still plenty of things he can do to effect real change.

PlansWhen Barack Obama was sworn in four years ago for his first term, there was genuine optimism that he would make meaningful improvements to the security of the nation’s critical infrastructure as well as the policies that govern security and privacy in the private sector. After the Bush administration relegated security to afterthought status for much of the 2000s as it concentrated on terrorism and fighting two wars, many in the security community were hopeful things would soon get better. Things certainly have changed, but whether they’ve improved is a difficult question. With Obama’s second term about to begin, there are still plenty of things he can do to effect real change.

The economy, unemployment and health care all are certain to get more of Obama’s attention in the near term, but here are a few things he could do make significant improvements in the security of the nation’s networks.

  • Forget the cybersecurity bills. None of the bills proposed thus far contains any provisions that would have any major effect on the security of enterprises or consumers. A key component of most of the current proposed measures is some mechanism to give the government access to private information related to threats and attacks. This is going in the wrong direction. Let’s see the government start publishing its own attack and vulnerability data before it starts requiring access to private companies’ information.
  • Change the data breach notification mechanism. Right now there are dozens of stat notification laws, but no national law. With so many state laws, it’s not clear that a national one is even necessary in order to force more disclosures, but what is needed is a change in the kind of information that’s contained in the disclosures. Telling consumers how many people are affected and what data was taken is nice, but it doesn’t help anyone learn from the company’s mistakes. If a national law is in the plans, then include a provision that requires compromised companies to disclose what happened, how the company was compromised, what vulnerability was used and perhaps what methods the attackers used once they were on the network. And make all of that data publicly available to anyone who wants it. 
  • Get a handle on exploit sales. The federal government is one of the larger buyers of vulnerabilities and exploits anywhere in the world. Intelligence agencies, the military and other groups inside the government regularly buy vulnerabilities from security researchers and use them for various purposes. But there are plenty of other buyers as well, including defense contractors, foreign governments and brokers who may then resell them to unknown third parties. Regulating this market is likely impossible and probably foolish to even attempt, given the players involved and the fact that many of them aren’t in the U.S. But lawmakers and those who influence policy don’t have any idea of what’s happening in this market. It’s a black box. That needs to change, and fast. Regardless of whether any policies or doctrines emerge, it’s important for the people in Washington to get a clear picture of what’s going on and who is involved.
  • Go private. There are a lot of young, talented and highly motivated security people working in the private sector who have the skills to help make significant improvements to the country’s network infrastructure. But they’re not going into government service because there’s no money in it. So go to them. Stop trying to put all of the responsibility for securing government and military networks on the Department of Homeland Security or Department of Defense and bring in some of the outside talent that’s available on a contract basis. Learn from the successes and failures of enterprises and put some of that accumulated knowledge to work. And when something succeeds and things work, publish the results so others can learn from it, too.

There are plenty of other things to tackle, and these likely aren’t the same priorities that the Obama administrations would draw up regarding security. But they’re important issues that need to be addressed, and soon.

Suggested articles

Discussion

  • Marcel Conyers on

    I agree in part with the second bullet. However, I don't see how disclosing "...how the company was compromised, what vulnerability was used and perhaps what methods the attackers used once they were on the network..." to consumers adds any value. If anything, it'll leave consumers more confused and paralyzed by FUD than ever before. I can see the value of disclosing this type of information to the security community. But it could be damaging, reputationally and financially, to the companies whose data was breached. Think of all the OSINT bad guys could grab from this kind of disclosure. How about all the lawsuits that would result? We need to think through this and have a very open dialogue that's inclusive of the security community's boots-on-the-ground experts (i.e. NOT just CISO types) to get this one right.

    @ceptera

     

  • Sample Contracts on

    This term Obama have to focus on the Unemployment rate and the economy, he should find the perminant solutions for it.

  • Anonymous on

    I think Obama will concentrate on his golf game, nasrcissism and delegating to people he can blame. Tell me when you saw a leopard change its spots.

  • Anonymous on

    Zero Days and exploits or even PoC are paid for mostly by the US government and it is always in the best interest of the researcher to get many times more $$$ from a State(US) than the maker of the system.  We will call that Grey Hat Security.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.