Schneier is chief security technology officer at BT and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Springer; 2003). He blogs at Schneier on Security. He's a rare voice of calm common sense in an industry which thrives on pumping up fear and hysteria.
Schneier makes three points:
1) The government is a huge customer of IT products, and that gives the government enormous clout in setting the direction the entire industry goes. The government needs to demand security of its vendors. We "all benefit because they'll include those improvements in the same products and services they sell to the rest of us," Schneier says.
2) "Two, legislate results and not methodologies." For example, a "law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not," Schneier says.
3) "[B]roadly invest in research." Basic research is financially risky, which is why the private sector is cutting back, but it results in important advances. Some basic research looks ridiculous to the average person, but do it anyway, Schneier says.
He's skeptical that the normal legislative process will achieve good security, because security, by its nature, always makes someone angry -- the information brokers, manufacturers of voting machines, and telcos, to name three.
Schneier made his recommendations last month, following both Barack Obama and John McCain describing their visions for cybersecurity. Neither candidate's vision was breathtakingly original for anyone who's been following cybersecurity closely. Obama wants to make cybersecurity a top priority and appoint a cybersecurity czar reporting directly to him, rather than to the Department of Homeland Security. McCain wants to make sure government agencies have interoperable systems on the state, local, and federal levels.
Blogger frankpoole at DailyKos says that the next president should name Schneier as the nation's cybersecurity czar (a position Barack Obama said he would create).
One of the biggest priorities for the next president should be to avoid boondoggles, says Richard Stiennon, founder of Secom Global, a managed security service provider, writing at Network World. "Yes, raise the cybersecurity issue. OK, hire a specialist to advise you, or better yet a bunch of specialists, but, do NOT create huge spending programs. Do NOT create laws and regulations requiring industry to 'be secure.' They just are not needed," he says.
What cybersecurity goals do you think the next president should have? Which candidate has the best cybersecurity platform? Let us know.