Earlier this month, Department of Homeland Security (DHS) Secretary Janet Napolitano declared October National Cybersecurity Awareness Month. To be honest, I have not heard of Awareness Month before, even though it's been around for six years.
The DHS blog post mentioned this year's theme as being focused on having everyone, not just industry and government, practice what the DHS calls good "cyber hygiene". Secretary Napolitano explains:
"Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."
Initially, I took offense, "All computer users, not just industry and government, have a responsibility". Sorry, who is making mistakes? Then, I realized, all of us are. Why, cybersecurity is new and uncharted territory. So, DHS wanting us to work together makes sense. To underscore that, DHS decided the theme for this year's Awareness Month should be "Our Shared Responsibility".Experts are needed
During her speech, Secretary Napolitano mentioned that DHS has been given the authority to hire 1,000 new cybersecurity professionals. Brian Krebs in his Security Fix post quoted Secretary Napolitano as saying:
"This new hiring authority will enable DHS to recruit the best cyber analysts, developers, and engineers in the world to serve their country by leading the nation's defenses against cyber threats."
Secretary Napolitano further mentioned that:
"The department will look to fill critical cybersecurity roles, including cyber risk and strategic analysis, cyber incident response, vulnerability detection and assessment, intelligence and investigation, and network and systems engineering."
Could be a problem
I was feeling pretty good about this. Then, I read IT pundit Bob Cringely's article entitled "The Cybersecurity Myth". He contends there aren't 1000 cybersecurity experts available:
"The number of CCIE's with security as a certification is 2,300 for the entire world. Subtract the 50 percent who work for Cisco, then 50 percent again for those not working in the field any longer, and you get 500 Cisco CCIE Security Experts worldwide. The only way to get another thousand in three years is by training them. But, in the last four months with 800 available seats to sit for the Cisco CCIE Security exam only one person has passed!"
One consultant that Mr. Cringely interviewed for his article disagreed, mentioning:
"Sure there are 1,000 (cybersecurity experts), but they are already employed... as hackers."
That is typical Cringely "shock and awe", but there is some truth to it.President Obama's turn
Sixteen days into National Cybersecurity Awareness Month, President Obama reaffirmed its importance in this video. He also echoed Secretary Napolitano's call for everyone to do their part. In addition, President Obama proposed the following:
- Networks are to be considered strategic national assets and will be protected as such.
- A public-private partnership is needed to protect the privately-held infrastructure.
- Each of us who use the Internet must take responsibility for our actions and equipment.
Buzz on the security blogs has these being good first steps.Select a cybersecurity coordinator
President Obama mentioned in the video that he will soon select a cybersecurity coordinator, how soon? President Obama has been hinting at this since February. What many see as indecision has caused several people who were interested in the job to lose patience and withdraw their applications.
The latest to leave was White House senior aide on cybersecurity Melissa Hathaway. You may remember Ms. Hathaway as the person asked to review the federal government's cyberspace policy. She resigned this past August. Ms. Hathaway candidly voiced her concern:
"I wasn't willing to continue to wait any longer, because I'm not empowered right now to continue to drive the change. I've concluded that I can do more now from a different role," most likely in the private sector."
It doesn't take much imagination to realize how difficult this job will be. I have asked several well-regarded CIOs and they had a tough time determining an appropriate job description. Let alone how much authority to give this new position.Cybersecurity Act of 2009
Besides having a cybersecurity czar report directly to him, Congress may give President Obama unprecedented authority over private-sector Internet services and applications. Right now, Cybersecurity Act of 2009 is making its way through Congress. Bill co-sponsor Senator Olympia Snowe (R-Maine) explains:
"America's vulnerability to massive cyber-crime, global cyber-espionage and cyber-attacks has emerged as one of the most urgent national security problems facing our country today. Importantly, this legislation loosely parallels the recommendations in the CSIS [Center for Strategic and International Studies] blue-ribbon panel report to President Obama and has been embraced by a number of industry and government thought leaders."
Needless to say, several groups including the Electronic Frontier Foundation (EFF) have deeps concerns about this bill. They feel the bill would give the federal government too much power, to a point where the critical infrastructure in this country would be federalized.
The EFF is also concerned about the loss of individual privacy, offering the following bill provision as one example:
"The Secretary of Commerce shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access."
The age-old "security versus privacy" challenge seems to be upon us once again.Final thoughts
We all know the critical infrastructure of the United States is vulnerable to electronic attack. It's also obvious that cybersecurity is complicated. What's not so obvious to me is if enough is being done and the right decisions are being made. What do you think?
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.