On March 10, a subcommittee of the House Homeland Security Committee held a hearing on cybersecurity. The report featured testimony from the Government Accountability Office (GAO). The GAO identified 12 key areas of improvement identified by a panel of cybersecurity experts (listed in Appendix 1) of the report. GAO's report also references an influential report by the Center for Strategic and International Studies.
The list proposed by the GA0 and promoted in the hearing is sensible enough. It represents, however, a strategy that calls on the government to simply "do everything." Additionally, the approach suggested by the report and the experts it drew upon is very "government-centric." This represents a fundamental flaw in approaching the challenge of cybersecurity. And here is why.
First, the cyber-world is a large, disorganized complex system. Developing a hierarchical, centralized management structure to attempt to govern the behavior of these kinds systems is extremely difficult.
Second, the cyber-world is extremely dynamic. Government organizations are generally not. It is difficult to imagine how a White House-centric approach could successfully keep with the rapid changes and innovations in the cyber-world.
Third, the cyber-word is an integral part of modern civil society, fundamental to the expression of individual liberties and the innovations of the free market. Centralized security could potentially threaten these freedoms.
All this is not to say that the federal government should do nothing. On the contrary, there are serious security challenges in the cyber world. We outlined these in a Heritage report "Combating Enemies Online: State-Sponsored and Terrorist Use of the Internet" But rather than the federal government trying to do "everything" to address these challenges, Washington would be better served by focusing on developing core competencies applicable to dealing with the realities of the cyber-world. "Building Cyber Security Leadership for the 21st Century" describes this alternative approach. The report calls for placing "more emphasis on developing leaders who are competent to engage in these issues. This will require a professional development system that can provide a program of education, assignment, and accreditation to develop a corps of experienced, dedicated service professionals who have an exper¬tise in the breadth of issues related to the cyber environment. This program must be backed by effective public-private partnerships that produce cutting-edge research, development, and capabili¬ties to operate with freedom, safety, and security in the cyber world." To implement this approach the report calls on the government to focus its efforts primarily on educating leaders in the federal work force, conducting advanced research, and providing incentives for private sector initiative.