Get All the Smart People Together and Give Them Lots of Money
The best place to start is with a Big Idea to concentrate and organize all the other big ideas - a Manhattan Project for infosecurity.
Daniel Wolf, director of the Information Assurance (IA) Directorate at the US National Security Agency, believes that while good research is taking place in pockets, a massive undertaking to tame this problem ought to be instituted. "It's gaining legs," he says of his Big Idea. "[The Department of Defence] put together a fairly significant working group to look at this."
Such a project would require cooperation among Wolf's IA Directorate (2700 strong, by the way), the US DoD, private-sector scientists, academic researchers, foreign partners, and some of the national research labs such as Sandia and the Defence Advanced Research Projects Agency. Wolf wouldn't say how much money he'd like to see go to such a project, but The SANS Institute's Paller throws out $US100 million as a good number.
Of course, the project would encounter challenges different from those faced by the actual Manhattan Project. There, engineers started with a blank sheet of paper and built the bomb from scratch. With information security, a 40-year legacy of poor coding and bad architectures must be negotiated. But then again, the fact that it's hard is what makes it so necessary.
Hire a Czar
A surgeon general-like figure for security is not only a Big Idea; it's a popular one. Several folks suggest creating some kind of "government leader" or "public CIO for security", none more vocally than Paul Kurtz, the executive director of the Cyber Security Industry Alliance. "We need more leadership at a higher level of government," he says. At the US Department of Homeland Security, he says, cybersecurity has been buried, and he believes DHS should have an assistant secretary-level person for cybersecurity.
At press time, that proposal had been floated but didn't make it into the intelligence reform bill. Meanwhile, a succession of notable leaders for cybersecurity resigned from their DHS posts - some suggest because of frustration over the low status of the role within the agency. The US Congress even explored the possibility of moving government oversight of cybersecurity from DHS to the Office of Management and Budget.
"Somehow, the surgeon general has this special place with us," says Scott Charney, chief security strategist of Microsoft. "We don't have the focal point in security that health-care gets with the surgeon general."
One of the surgeon general's best-known successes is found on the side of cigarette packages. The smoking analogy cropped up repeatedly with big thinkers. Once upon a time, society believed that if you chose to inflict harm on yourself by smoking, you were free to do so. The concept of second-hand smoke changed that equation and now smoking is anathema in many public places.
Networks are no different than smoking in the sense that your bad security habits can adversely affect innocent bystanders. Online, in fact, it may be worse since the second-hand smoke of cyberspace doesn't dissipate with time or space. It debilitates every machine it touches equally, as if everyone was forced to take a drag.
We propose a high-profile surgeon general for information security, who reports to the secretary of DHS. Imagine labels on software like those on cigarettes - Infosecurity General's Warning: The use of software and hardware that is not certified secure can harm your system and other people's systems, and you may be held liable for those damages.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.