Barack Obama Takes on Cybersecurity

Something, perhaps it's next week's Black Hat 2012 conference in Las Vegas, inspired President Obama to sign his name to a Wall Street Journal op-ed today on what has come to be known as "cybersecurity." This subject is indeed security-related, but the "cyber" part of the name is uninformative. The term refers to attacks on computer in a national security context.

The President gives examples of horrible things which could, in theory, occur, laments the lack of proper precautions at many providers of "critical infrastructure," and then urges the passage of the Cybersecurity Act of 2012.

I must confess, I've been turned off over the years by the doomsday scenarios of the cybersecurity lobby. They remind me too much of Y2K. But many people I respect, people like Mark Russinovich who clearly know how computers work in the real world, take the matter seriously, so I trust it needs to be taken so.

It's hard, on the other hand, to think that President Obama or any real consensus in government feels any urgency. They always talk urgency, but concern over cybersecurity (a horrible word, obviously created by politicians and not engineers) is an old game in Washington. George W. Bush took it seriously enough that several people served in a capacity of advisor to the President on the matter. One of them, Howard Schmidt, was later appointed by President Obama as Cyber-Security Coordinator working out of the Executive Office of the President.

The job of this top cybersecurity officer seems to be coordinating the writing of reports which detail the severity of the problem and then courageously propose further study. We've had many of these over the years. but the C-SC has no actual authority over anyone or anything.

The Cybersecurity Act of 2012 is also the latest in a long line of attempts to legislate a coordinated government approach to the problem. The efforts have -- thankfully -- been watered down over the years from earlier efforts which would give the President an absurd level of control over the Internet. Most of what's left is redundant and/or of minor value. A lot of it is funding research which is already being done without the funding. A lot of it is establishing coordination mechanisms which already exist. A lot of it is the usual mandates for agencies to report to Congress.

There is some interesting stuff in there that's truly necessary, such as legal safe harbor for companies engaged in good-faith security activities from frivolous legal actions. The President specifically mentions this in the op-ed, and scaling back corporate liability is not something you'd expect him to advocate.

To me the central flaw of earlier legislation was the presumption in them that in a cyber-emergency -- whatever that is -- some government group from the NSA or DHS would know better how to run the Internet than the private companies that do so all day, every day. The new bill has no "kill switches" or anything like it. The measures may be redundant, but their aim is to help Internet administrators to manage situations with the help, not direction, of the government. So in the end this bill may be bland and inoffensive enough that it may pass.

But nothing any bill like this can do will really change the problem. It's 2012, and if you are responsible for an element of critical infrastructure like the water supply or the power grid and you're leaving it insufficiently protected and even exposed to the Internet, you and your company are being negligent.

This stuff's complicated enough that nothing is impenetrable to a sufficiently intelligent and resourceful attacker, but that's always going to be true. The problem is people who are too careless or incompetent to do a good job, and that's also something that government is not likely to solve.