More on whether cybersecurity should be managed from the White House
Continuing on from my previous post, should there be a central government authority that oversees cybersecurity?
The article which I originally cited earlier continues:
As everyone now seems to agree, that means effective cybersecurity requires bringing together a dizzying number of players, from the IT heads of government agencies and major private firms to software and hardware manufacturers to diplomats. Because large-scale attacks are often carried out by transnational botnets, Tiirmaa-Klaar argued, a coordinated international legal response will be necessary to prevent them. That might mean, inter alia, developing model legislation for developing nations where low-tech law enforcement allows cybercriminals to thrive.
As far as CSIS is concerned, that means cybersecurity efforts require the sort of bird's-eye view available only from a perch at the White House—and the kind of authority to yoke together disparate actors that only a presidential imprimatur will provide. Yet at the same Heritage event, Frank Garcia, a career staffer with the House Permanent Select Committee on Intelligence, voiced doubts about proposals to shift primary responsibility for cybersecurity away from DHS. "Any new organization or bureaucracy takes a while to get their culture established," said Garcia. "Fix the problems as they may exist at DHS. Don't try to create some supra-group somewhere else that rises above all the other organizations in the executive branch. Because you're still going to have the same problem. Nobody's going to want to give up budget authority to that group; it doesn't matter where you put it."
In comments to reporters last week, DHS Secretary Michael Chertoff conceded the need for a "White House mechanism" to harmonize cybersecurity efforts across agencies, but also sounded a preemptive skeptical note. "We've heard you have to have a cyberczar," said Chertoff. "You have to have a czar for this and a czar for that. Just remember — all these things add extra layers."
Since we now have an Obama administration in the White House (or rather, we will in less than a month), it looks like a central agency is going to oversee this. There are some advantages:
Resources - Only a central agency really has the ability to mobilize resources to get something like this off the ground and co-ordinate a centralized effort to improve cybersecurity.
Co-ordination - With someone ultimately in charge at the top, real decisions can be made. Microsoft might argue with Yahoo who in turn disagree with AOL (or whoever the players are) but ultimately somebody has to call the shots. Eventually a decision must be made and only someone with real authority can unilaterally make the decision to move forward, if an impasse has been reached.
Of course, while there are advantages, there are clearly a number of drawbacks. Here are a couple that I can think of off the top of my head:
Bureaucracy - as DHS Secretary Michael Chertoff says, adding more and more layers of bureaucracy and yet another government agency doesn't add any more efficiency to the problem. People have to report to other people and government agencies are notorious for having to follow protocol. Besides which, we already have the Department of Homeland Security. Do we really need another one?
Track records - Governments don't really have the best track records when it comes to dealing with issues. As the old joke about government goes, "You think the problems we created are bad? Just wait until you see our solutions!" In other words, even if we have determined that another government agency to oversee this is a good thing, government does not have the track record of doing things efficiently. In other words, all we do is end up consuming more taxpayer resources to do a job that private industry could have done better, but now cannot, because those resources have been consumed.
It certainly is an interesting problem to have. And given the current economic climate, I'm not sure how much attention it will get during the first 100 days.