It’s been little more than 24 hours since President Obama named Howard Schmidt his White House Cybersecurity Coordinator, but it didn’t take nearly that long for just about everyone with any interest in security to line up on one side or the other of the “he has no chance/he’ll save the Internet” line.
Within hours of Obama’s announcement, dozens of former policy advisers, security experts, analysts and all manner of consultants had weighed in on the choice. Much of the chatter focused on the fact that Schmidt had held a similar job in the Bush administration and little had gotten done on cybersecurity then, so why should this time be different? Others chose the doomsday prediction route, pointing out that online security is irretrievably broken and Schmidt, or anyone else for that matter, has no chance of preventing the coming cy-pocalypse.
In other words, there was little clear-headed analysis to be found. But some of that is beginning to filter out now that people have had a bit more time to think. Adam Shostack on The New School of Information Security blog writes an open letter to Schmidt, offering some unconventional priorities for Schmidt to tackle. His main point is that Schmidt should help the government and private sector alike become more transparent on security issues and begin to focus on “security outcomes, rather than process.”
Over the last 5 years, in the wake of California’s 1386 and
ChoicePoint’s big breach, we’ve learned about thousands of security
breaches. We’ve discovered that most of our fears don’t come to pass.
Companies don’t go bust, and customers don’t flee. It’s time to embrace
transparency, and admit that we all have security failures. Only by
studying what goes wrong can we really expect to improve. So the first
step is to de-stigmatize failure. That’s not to say accept failure,
it’s disclose them, discuss them, and focus on what we can improve. You
can set the right tone from your bully pulpit…
Finally, I’d urge you to evolve our nation’s security research agenda.
There are many smart, dedicated people working in information security.
Many have been promoting approaches which have yet to take hold. You
must bring new voices and perspectives to research. Emergent fields
like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.
Schmidt is sure to get plenty of advice, almost all of it unsolicited. And he will by necessity have to spend much of his time working on the nuts-and-bolts processes and technological problems that are facing the country’s networks. But paying some attention to the lesser-publicized issues, like the ones Shostack raises, could hep create the kind of long-term thinking and research that’s needed to address the fundamental security problems we all face.