A couple of weeks ago, an article appeared on arstechnica.com asking the question "Should cybersecurity be managed from the White House?"
During the recent presidential elections in the United States and the federal elections in Canada, the two major players in both parties had differing views that crossed borders. In the US, the McCain campaign tended to favor free market solutions to the problem of cybersecurity, and the Conservatives in Canada took a similar position. In other words, rather than having the government step in, industry instead would collaborate to stamp out (or at least control) the problem of spam, botnets, and so forth. Conversely, the Obama campaign, as well as the Liberal Party in Canada, tended to favor more government interaction to oversee the problem. Here are some excerpts from the article:
In a report released Monday, the nonpartisan Center for Strategic & International Studies served up dozens of recommendations for improving American cybersecurity—but by far the most headline friendly was the call for a new National Office for Cyberspace within the White House, headed by an "assistant to the president for cyberspace," or cybersecurity czar.
Of course, the U.S. arguably has a "cybersecurity czar" already: Rod Beckstrom, who heads the National Cyber Security Center within the Department of Homeland Security. But the experts on CSIS' Commission on Cyber Security for the 44th Presidency argue that DHS is the wrong agency to take the lead on cybersecurity, which should be coordinated by a White House office with a direct line to the president. "Securing cyberspace," they argue, "is no longer an issue defined by homeland security or critical infrastructure protection" but rather "an issue of international security in which the primary actors are the intelligence and military forces of other nations." Under their plan, the existing NCSC would be fused with the Joint Inter-Agency Cyber Task Force to form the NOC. Similarly, a new Cybersecurity Directorate within the National Security Council would absorb relevant functions of the Homeland Security Council.
The cybersecurity effort within DHS has, perhaps understandably, focused on hardening the .gov domain against attacks, an approach that the report worries "skilled opponents will be able to outflank." And indeed, on the day of the report's release, Estonian defense advisor Heli Tiirmaa-Klaar gave a talk at the conservative Heritage Foundation, in which she stressed that when her country became perhaps the first victim of large-scale cyberwafare last year, only about 30 percent of the targets of attack were on official government networks. Rather, said Tiirmaa-Klaar, cyberwarriors target elements of the civilian-run critical infrastructure as part of broad-based "destabilization operations."
There are some pros and cons to having government oversight of the problem of cybersecurity. In my next post, I'll dig a bit deeper into the issue. Note the last part of the above quote where Estonian defense advisor Heli Tiirmaa-Klaar talked about the cyberattacked experienced by that country in 2007, a topic I spoke about in two previous posts.