I'm going to wrap up my brief series on cybersecurity and the federal government by taking a look at what I think such a post might look like. Let's assume for the sake of argument that the Constitutional objections have been overcome and the small government types have been ignored. What might such a post look like?
- A Cabinet level post
I would envision someone in charge of cybersecurity to have a Cabinet level post within the administration. This post would be in charge of overseeing the cybersecurity threats to the US and make recommendations as to the course of action the government should embark upon.
Tasks would be to assess threats and create models of bots and malware that exist and create simulations of scenarios on what threats are credible which ones are not.
Whether or not cybersecurity should be merged into an existing department like the National Security Agency or Homeland Security is up for debate. At the least, there should be a department that focuses only on cybersecurity and the threats it poses to national security.
- Assess national cyberhealth
We already have a World Health Organization, I envisage this as a kind of a world (hmm, maybe national) cyberhealth organization. Users would be able to get their computers cleaned and the government would foot the bill (because no one else will do it, as I explained earlier).
This would clearly create a conflict of interest. Users might want to come in and get their systems cleaned up, free-of-charge, but might avoid doing so for fear of recriminations. After all, how many of us have music that we have downloaded by way of ill-gotten means? Or software that we normally must pay for to use, but didn't? The music industry or the software industry would likely want to use such a forum as a mechanism to shut down music piraters or forcing users to cough up some cash. If this were a credible possibility, then users might very well decide to avoid using the service. If so, then it completely defeats the purpose of the program.
This is a tough question and one I won't take sides on. Microsoft, for example, has decided that even if you have a pirated copy of Windows, you can still download security updates for free. In a similar manner, what if this program decided that even if you have illegal software or music on your system, you could still come in and take advantage of the program without getting in trouble for it? Its sole purpose would be to remove malware and bots from your system, not to scan for unregistered copyrighted material.
Of course, that would mean that the government would be overlooking one of set of laws in order to enforce a greater good. It's an interesting legal question; good thing I'm not the Attorney General.
- Pressure service providers to clean up
There are some registrars out there that are bad actors. For example, there are one or two bad players out there that register something like 95% of bad or abused URL domains. There are ISPs that don't provide IPs to blocklist providers like Spamhaus. If the registrars were based in the United States, this cabinet post could get legal authority to force these guys to clean up their act and stop taking money from spammers and acknowledge complaints.
But what if these registrars or ISPs were outside of the jurisdiction of the United States? What if it's a domain registrar in China? Well, in this case, an extreme example is to hit the countries in which they are located with trade sanctions. The US could similarly pressure other countries to get all their ISPs to list dynamic IP address space on the PBL. Stuff like that would greatly diminish the freedom spammers currently have.
I'm not suggesting that this is the best idea, it is stuff that is coming off the top of my head. But the point is that with legal authority to back you up and armed with substantial technological background, you really can make a difference.
In a nutshell, that's how I see things. There really is so much more to the discussion than I can possibly outline in one blog post. There are advantages to having done by the government and there are drawbacks. The point is that the issue, in my opinion, is a serious one that needs to be discussed.