Last week, presidential candidate Ben Carson released a plan to improve American cybersecurity. There is much to like in the plan. However, it fails to address the underlying factors weakening American, and particularly government, security.
Carson’s core proposal is to establish a large new cyberdefense agency, the “National Cyber Security Administration.” This new agency would assume responsibility for a range of functions, some of which are new to the federal government, and some which existing agencies already perform. The new agency would, for instance, have the responsibility of ensuring that other government agencies have “Continuity of Operations Plans.” To the best of my knowledge, this is a new form of oversight and would be a good one. The new agency would also consolidate the task of advising on security best practices.
What the Carson cybersecurity plan lacks
The core weakness of the plan is that it doesn’t address the root causes of federal IT dysfunction. Today, the federal government has great difficulty hiring good people. (I have written about this in the past.) Without better staff, any new agency is likely to perform poorly. In addition, the Carson plan puts the NCSA into a supervisory role over existing agencies, but does not explain how this oversight will be exercised. It’s good to require “continuity of operations plans,” but it’s unclear what the NCSA could do if an agency produces an unsuitable plan or allows a plan to fall into obsolescence.
Parts of the reorganization are at best superfluous. Several of the proposed functions for the NCSA amount to research or research-funding for purposes like malware dissection, computer science education, and authentication techniques. Tying this research funding to a new agency might, in the best case, produce better alignment of research with practice. However, it is unlikely to be transformative. On the downside, the NSF and DARPA already have considerable expertise in funding and overseeing academic security research, and a new grant-writing agency is likely to be less effective.
As with all these plans, there is a certain amount of cant. The plan says: “The NCSA is not a new federal bureaucracy. On the contrary, it is a consolidation and unification of the countless and often redundant programs, initiatives and offices which operate disjointedly throughout the government.” Of course it is a new bureaucracy. Frankenstein’s Monster was a new creature, even though assembled out of existing parts.
The bottom line
The Carson plan is more likely to do good than harm. But as long as we are going to take a scalpel to the brains of the federal government, we should aim higher than palliative care. The other campaigns have not yet released substantive cybersecurity plans. Carson has put down a marker, and it now remains to see if the other campaigns are able to do better.
I-BRIDGE's blog (Link Campus University's Research Centre on Global Affairs) - editor, Marco Emanuele - Critical thinking, complexity, international relations (Twitter, @Glob_Eye - Facebook, https://www.facebook.com/marco.emanuele.50)
No comments:
Post a Comment