TECHNOLOGY AND THE BUSINESS OF GOVERNMENT

In a major speech on national security yesterday at Purdue University, Barack Obama highlighted the need to face new threats and not continue “fighting the last war.” Loose nukes, bio-terrorism, and cybersecurity were the three themes.

The fact sheet accompanying the speech included a set of strategic proposals (see below) that address both privacy and security in a balanced fashion. These proposals bear careful evaluation, but clearly suggest a broader scope than the current administration’s “Comprehensive National Cybersecurity Initiative.”

The encouraging news is that the most visible leaders in both parties, Bush (no word from McCain) and Obama, have officially recognized the critical national need to invest in cybersecurity. Obama’s engagement in the topic is real, as related in a very readable first-person account of the event by Purdue’s Gene Spafford, executive director of CERIAS, the cybersecurity center of excellence referred to by Obama. At this rate, the Nation may actually be able to get ahead of this continually evolving threat to the very assets that make us competitive and strong in the world.

For more details on the proposal, see my blog on Government Futures.

Fifteen years ago, cartoonist Peter Steiner drew two dogs sitting in front of a computer, one saying to the other, "On the Internet, nobody knows you're a dog." This iconic adage, cute in its day, is now a warning.

Criminal, terrorist and nation-state cyberattacks against banks, technology companies, online merchants, individuals and government agencies cost the U.S. economy $400 billion annually, focused most often on stealing business and military secrets, and personal data.

In cyberspace, not knowing for sure what person or device is on the other end of the line has serious downsides. It erodes overall trust, limits users' ability to secure their own systems, hinders effective governmental response, and causes organizations to collect more personal data than they really need.

Last week at the RSA Security Conference, several interesting workshops explored aspects of criminal hacking. One of them, conducted by Charlie Miller, examined the incentives for finding and disclosing vulnerabilities in enterprise software.

Imagine you are a Romanian software engineer with time on your hands, and you are able to find an unpatched vulnerability in an enterprise software program. The good news is that you can sell the information about the vulnerability for several times your monthly salary.

The bad news, for almost everyone else, is that you can get much more for it on the black market than from the two other legitimate buyers. Neither the manufacturer nor legitimate firms such as iDefense and Tipping Point, who package vulnerabilities for testing use by corporate computer security departments, will pay as much.

Tipping Point's Zero Day Initiative encourages vendors to patch their software via transparency. One of the pages, Upcoming Advisories, provides a list of known, unpatched vulnerabilities from major vendors. The vendors have been notified but have not issued a patch.

A recent look showed 34 "high severity" vulnerabilites that have been pending for over 8 months on average since Tipping Point notified the vendors. Obviously, room for improvement! We'll talk more about why vendors are slow in a later post.

According to senior officials inside and outside the national security establishment, the Nation is at war in cyberspace.

This war, like many things in cyberspace, confounds traditional boundaries. It is occurring in part on U.S. soil, where many of the attacked public and private sector computers are located. While some attacks are coming from foreign powers, others are from terrorist groups, and still others come from organized crime. Often the identity and intent of the attackers is unclear.

As Samuel Adams said in 1768, “Even when there is a necessity of military power, within the land . . . a wise and prudent people will always have a watchful & jealous eye over it.” Indeed, it is longstanding policy in this country that the military not be used to enforce the law on U.S. soil, except in major emergencies. This division between national security and civilian law enforcement activities is maintained in electronic surveillance as well. It colors the current FISA extension debate.

Few observers believe these divisions work in cyberspace. Yet there is no clear vision of how to proceed while guarding the underlying principles. For that reason, this matter deserves a considered public conversation. While a national cyber security initiative is necessary and timely, the secrecy surrounding the Administration’s program does not serve the Nation's long term interest.

Former Defense Secretary Robert McNamara said, speaking of Vietnam, "We failed to draw Congress and the American people into a full and frank discussion and debate of the pros and cons of a large-scale military involvement . . . before we initiated the action." We still have the opportunity to avoid that mistake in cyberspace.

There's a lot of talk about the transformative nature of information technology. One of my favorite commentators on this is a professor of cultural anthropology named Michael Wesch. In this short video, he talks about the way digital information is changing the way we interact with the world.