2005-01-28

Cybersecurity Commission or Agency

2015-08-31

Cybersecurity, or rather the lack thereof,
has been much in the news in 2015.
The OPM data breach is a mammoth blow to U.S. security,
with ripple effects such as
"China and Russia are using hacked data to target U.S. spies".
And of course there have been many other worrisome hacks of governments at all levels and of corporations.

My question is:
Would it not be a good idea to establish a high-level commission
to address the issue of what can be done to make U.S. computers and networks more secure?
Right now, as I understand it (and I am no expert on these matters),
various elements of our society are working at solving this problem.
  • The White House has, supposedly, a cybersecurity "czar" (anybody heard from him lately);
  • various agencies such as NIST, GAO, OMB, DHS, CERT all are playing roles;
  • no doubt the academic sector has various groups working on it (Carnegie Mellon seems especially active);
  • private industry, from hardware, software, and system vendors to all the end users, no doubt are working on it;
  • and various professional organizations, IEEE, ACM, etc. no doubt have SIGs on it.

All this is nice, and no doubt essential.
But is anyone taking an overall look at the problem,
free from having to look at it from just one point of view?
Is anyone really looking at the big picture, from the long range point of view,
able to "blue sky" possible solutions to the problem,
conducting tradeoffs which individual groups might not be able to make?
For example, and perhaps most critically,
have we made the correct tradeoff between ease of use and security?
Could we make our systems more secure by making them a little (or maybe a lot) harder to use?
Should some systems be harder to use, but more secure?
So individuals and corporations could choose?

Then there is the education and training issue.
Some say the OPM data breach was exacerbated by patches not being applied,
which in turn was due, in part, to a lack of trained personnel.
How significant a factor was that?
Is anybody putting together a comprehensive report on the ways (no doubt multiple) that breach could have been prevented?
[Note added 2018-02-16:
Yes! See the 2016-09-07 House Oversight and Government Reform Committee report
"The OPM Data Breach: How the Government Jeopardized Our National Security
for More than a Generation"
.]

Anyhow, you see there are a number of questions and issues here.

Should there be national commission, and perhaps a national agency (the National Cybersecurity Agency), working this problem?













2016

2016-04-13-Obama-WH-announcing-presidents-commission-enhancing-national-cybersecurity
Announcing the President’s Commission on Enhancing National Cybersecurity
by Michael Daniel, Ed Felten, Tony Scott
2016-04-13 : April 13, 2016 at 6:34 PM ET

In February, the President announced a Cybersecurity National Action Plan (CNAP) to take a series of short-term and long-term actions to improve our nation’s cybersecurity posture. A central feature of that plan is the non-partisan Commission on Enhancing National Cybersecurity, comprised of leading thinkers from business, technology, and academia and charged with making recommendations to the nation for actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sector.



Today, we are pleased to announce that the President and the bipartisan Congressional leadership have selected the 12 individuals to serve on the Commission. They are:

Tom Donilon, former Assistant to the President and National Security Advisor (Chair)
Sam Palmisano, former CEO of IBM (Vice Chair)
General Keith Alexander, CEO of IronNet Cybersecurity, former Director of the National Security Agency and former Commander of U.S. Cyber Command
Annie Antón, Professor and Chair of the School of Interactive Computing at Georgia Tech.
Ajay Banga, President and CEO of MasterCard
Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike
Patrick Gallagher, Chancellor of the University of Pittsburgh and former Director of the National Institute of Standards and Technology
Peter Lee, Corporate Vice President, Microsoft Research
Herbert Lin, Senior Research Scholar for Cyber Policy and Security at the Stanford Center for International Security and Cooperation and Research Fellow at the Hoover Institution
Heather Murren, former member of the Financial Crisis Inquiry Commission and co-founder of the Nevada Cancer Institute
Joe Sullivan, Chief Security Officer of Uber and former Chief Security Officer of Facebook
Maggie Wilderotter, Executive Chairman of Frontier Communications


[To bad they couldn't, or didn't try to,
get Bill Gates to serve as co-chair of the commission.
Also notable for their absence is anyone from departments of computer science at Stanford or CMU,
both of which have really outstanding programs in CS.
CMU also has a research institute dedicated to cybersecurity : CyLab;
no direction from them?]



2016-09-07-HOGRC-committee-releases-year-long-investigative-report-opm-data-breaches
The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation
House Oversight and Government Reform Committee, 2016-09-07