It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke's position under President Clinton.
This position will be critical for organizing the government's fragmented information security efforts, both for the government sector and the country's infrastructure, which is largely privately owned. Many of the security tasks that must take place to improve our nation's security posture are well known. They are employed by forward thinking and risk averse sectors such as the financial industry. The challenge is rolling out those security tasks to a varied and diverse infrastructure operated by the US government and the critical sectors such as energy and telecom. Some of these tasks are deploying hardened OSes, modern patch management and vetting applications as they enter an organization before they are deployed.
Some of the challenges facing the new cyber czar include dealing with technology that is increasingly developed in India and China and attacks that frequently are sourced from overseas. There is a need to reach out internationally as the technology and infrastructure of the Internet is global. Any new regulations imposed need to be thought of as global in nature. The US cyber czar must take a lead in forging new international relationships to deal with cybercrime and the threat of cyberterrorism which may emanate from the same countries that are providing the US with the technology we use to run our Internet. Knowing who is friend or foe in the cyberworld gets more challenging every day in our increasingly globalized software and services economy. How do you work with internationally owned companies to get them to do the right thing to prevent cyberattacks from terrorists or nation states when the expense will hit their bottom line?
I look forward to a cyber czar that can take a global view to protect our infrastructure and a risk management view to understand the cost tradeoffs of protective technology and processes.