President Obama is poised to make good on his promise to appoint a security coordinator. Is hope or fear the more appropriate response from IT professionals?
When I reported China chooses FreeBSD as basis for secure OS, I said:
there's definitely something wrong with US information security policy.
Today, President Obama made it clear to the world that he agrees, when he said that America has failed for too long to protect the security of its computer networks:
It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.
The question on everyone's minds, of course, is "What exactly do you intend to do about it, Mr. President?"
In a rare case of an elected official actually fulfilling a campaign promise, Obama appears ready to appoint his new cyber security coordinator -- a working title for the position, though he hasn't settled on a final, official title for the new cabinet post. In response to questions about what kind of authority and budgetary support this new appointee would have, the President hedged by saying the czar would have "regular access" to Mr. Obama.
Under a cloud of fear and confusion, government officials increasingly appear to be in a panicked frenzy about the state of information systems security, as millions of "attacks" are made against US information technology resources daily. Meanwhile, many government agencies are probably on pause right now, waiting to see what new policies the appointment of a "cyber security czar" will herald.
Comically referring to network security crackers' tools as "weapons of mass disruption", President Obama seeks to frighten us into grasping the level of danger he wants us to perceive, and with the appointment of the slightly less comically labeled "cyber security czar", he seeks to reassure us that he's taking the necessary steps to mitigate those dangers. He started this whole trend in how he talks about information systems security well before the election when he first made his campaign promise to appoint a "cyber security czar" should he be elected.
When he made that announcement, basically everyone in IT professions -- and quite a few besides, of course -- sat up and took notice. Amidst speculations about who would inhabit the new cabinet post (comedy again, in some cases, such as suggestions pure corporate partisans with little actual IT security knowledge like Steve Ballmer might be "good" candidates), the general social climate seemed to be one of jubilation. Everyone seemed overjoyed at Obama's announcement, exclaiming that here, finally, was a Presidential candidate who "gets it". Yay! A "cyber security czar"! The promised land has come!
Meanwhile, I was watching all this unfold and thinking
Really? Think about this: a Presidential candidate -- a class of person who should be the object of suspicion by default -- wants to appoint the computer network policy equivalent to the so-called Drug Czar, who oversees the disastrously prosecuted "War On Drugs". Somehow, this leads to celebration. Are you people really thinking about this?
I, for one, like the Internet. I like its freedom, its impressive flexibility and usefulness and power as a tool of open and widespread communication of ideas. It is one of my favorite things in the world right about now. The idea that a President is creating an ill-defined cabinet post dedicated to regulating computer networking technology "for our own good" frankly scares the bejeezus out of me.
I'm not convinced President Obama is going to screw up the whole Internet (or, rather, the parts of it over which the US government can managed to exert influence). There's reason for hope here. Maybe he'll do it right.
I am, however, convinced that -- whenever government officials start talking about establishing new appointed positions and new agencies to oversee areas of our lives that have never been so centrally regulated before -- it's time to be profoundly suspicious. It may even be time to be scared, no matter what politician it is that says it. Even if you trust this President's intentions, you must realize that it goes far beyond that: there's the question of whether we can trust him to establish the new regulatory office with the right restrictions in place to ensure that it cannot be significantly abused to violate rights and privacy when the next President is in office, and the President following that.
There's no reason for that trust so far. His statements consisted of a lot of hand-waving, euphemizing, and ambiguous refusals to commit to particulars. He laid out a five point plan that basically explained the five different areas where he intends his information systems security policy to affect the operations of government, industry, and our individual lives; he promised he would ensure our civil liberties and privacy would be protected; and he promised the safeguarding of the prosperity facilitated by the Internet. He did not, however, tell us how any of that would be accomplished, or whose definitions of "civil liberties" and "privacy" and "prosperity" would fit into his list of priorities. The take-away from this is that we know, with maybe an 85% certainty, what specific areas of our lives are subject to both hope that he'll do the right thing and fear that he won't.
Time will tell. In the meantime, I ask that those of you in his target audience consider whether you're being too credulous, too blindly hopeful, and whether you should consider what constitutes the proper level of cynicism in your worldview when it comes to the expectations you grant to politicians. Make no mistake about it: Obama is a politician, and should not be exempted from the suspicions due politicians in general. Call it practical paranoia if you must.
So, the question remains: which is more appropriate, hope or fear? I choose both.
Hope for the best. Expect the worst.