An article crossed my desk yesterday that highlights a systemic problem with how government does business. We’ve discussed the “2+2=Grapefruit” situation before, but this is even more basic – it’s how government views problems in the first place.
The article details a kafuffle raised in Congress over a cybersecurity bill. It seems the administration wants to impose minimum security “fixes,” through DHS, on critical infrastructure that is vulnerable to cyber attack – water supply, air traffic control, electricity grid, etc – and the US Chamber of Commerce opposed such a mandated requirement. Senator Joseph I Lieberman (I-CT), chairman of the Homeland Security and Governmental Affairs Committee, backs the measure, and Senator John McCain (R-AZ) opposes.
The subject matter, and the medium through which the threat emerges, focuses my attention on, not the argument, but the method under consideration. We have heard for some time now that we are vulnerable to a devastating cyber attack, and it’s true. There is no systematic approach to “safing” our networked infrastructure, leading to an inevitable attack at some point by a bad actor – be it a non-state terrorist organization, a pimply-faced kid sitting in his basement, or a hostile power. The Pentagon tells us that these systems are probed around a hundred times a day (that we know of), and that NSA is very good at catching and thwarting them. This also is true. But here we have the terrorists’ asymmetrical advantage – all they have to do is succeed once.
The basic problem is that the medium moves much faster than the remedy – government moves at a geological pace while the world travels at warp speed. By the time Congress gets around to passing a bill safeguarding our infrastructure, the methods contained in that bill are already obsolete, the hacking community having countered anything Congress comes up with.
I tend to agree with Senator Lieberman’s insistence that this a Pearl Harbor waiting to happen, and with Senator McCain’s objection to the administration’s approach. Congress will never get the upper hand over independent hackers, who react to what Congress is doing. This situation is systemic. The whole approach is wrong. What’s a bit disconcerting is that Congress institutionally knows better, in that it watched as the X-Prize produced astonishingly good results in a remarkably short time-frame by stipulating the goal, leaving the method and process up to private entrepreneurs. NASA is currently testing at least three different man-rated orbiters – Scale Composite’s, Space-X’s and a LockheedMartin design – all of which came out of the X-Prize competition. The same approach could (and in my view, should) be used here. Don’t set minimum standards for all of networked industry to mimic, set minimum security levels to which all of networked industry must comply, in whatever manner best suits their individual industry.
Now you’ve got computer experts working on computer problems, not politicians trying to steer business to their district (regardless of the lack of talent in that district). Instead of a prize for meeting the standards, Congress could levy fines for not doing so.
The goal here is that our critical infrastructure be safed – not that politicians be seen as fixing it.