Dear Mr. Clarke Schmidt Yoran ______________ ,
Congratulations on becoming the new director of the National Cyber Security Division of the US Department of Homeland Security! With the abrupt departure of former cyberczar Amit Yoran, you must be scrambling to get your bearings. After all, you're the fourth person to hold the position in three years. The others have all quit in disgust, boredom, or anger.
Face it: Nobody with any sense wants your job. It saddles you with blame for cybercrime and cyberterror without giving you any tools to combat them. Take a look at the National Strategy to Secure Cyberspace, leaked like air from a punctured tire throughout 2002 and now gathering dust on the whitehouse.gov server. Cyber Warning and Information Network? Doesn't exist. National incident management? You're not in charge of that. Continuity plans for federal systems? You couldn't do a basic head count of federal systems, much less whip them into shape.
"The Pentagon has a term for this: fucked up beyond all recognition," moans a federal counterterrorism analyst, who begs me not to mention his name. "This is the culmination of a lot of frustration and, frankly, bad management of the Department of Homeland Security." In other words, you're not a czar at all. You're a patsy.
If you're to last longer than a year, you're going to have to play your weak hand with exceptional brilliance. Allow me to make a few suggestions.
You're getting shin-kicked every day by mysterious blackhats in Germany, Korea, Nigeria, and Russia. How can a czar do his job without so much as a palace guard? Fortunately, there's a big stick within reach: the Secret Service Electronic Crimes Branch. Just like you, its officers are stuck in Homeland Security, but unlike you, they can arrest people. Someday, hacker networks will be tracked with the same professional attention given to other organized criminal rings. Until then, you need to persuade the Secret Service to do some heavy lifting for you.
Once you've got some real firepower, you need to hammer out rational policies. Cybersecurity has always been about apocalyptic alarmism justified by rubber statistics. You have a chance to bring it in line with reality. If you can lure people to come clean with you, you'll have a prayer of knowing what you're talking about. So make yourself available. Throw great parties. Get people to tell you about their vulnerabilities. Coax them to own up to their financial losses and shockingly inadequate software. Be trustworthy and factual; nobody has tried that tactic.
You also need up-to-the-nanosecond information about the state of the Net. The Feds treat the organizations that monitor the health of the Internet - Carnegie Mellon's CERT Coordination Center, the SANS Institute's Internet Storm Center - like a bunch of pencil-necked geeks from Mars. In fact, they're indispensable resources. Get these mavens on the same page, spread some real money around, and watch the influx of data. Someday, accurate Internet "weather reports" will track anomalous slowdowns, stoppages, and traffic jams. Warn Congress that if you don't create them, the Europeans will.
Now here's a stumper: You're the cyberhoncho at Homeland Security, yet cyberspace has no homeland. The logical conclusion? You're a diplomat.
The US cyberczar needs his or her own foreign policy. See the world! Meet interesting people! Befriend other cyberczars, like Andrea Pirotti, head of the European Network and Information Security Agency. Make a suave, persuasive case for global law and order and recommend best practices in network management. Dole out cool hardware at discount prices. Then go back home and assure US vendors that fussy foreign investors insist on doing security, well, the way you want it done yourself.
Finally, you need to develop the ability to see around corners. Recruit every graying pundit, unemployed CEO, and retired computer scientist you can find. Put them in skunk works, think tanks, blue-ribbon panels. With some brainiacs around, you might be able to outguess future assaults and prioritize future problems. And if your team could create some user-friendliness amid the current morass of patching, installation, configuration, verification … well, a grateful humankind would erect statues to you.
This is your show. You are Johnny-on-the-spot. You have nothing that players in the federal government traditionally need to succeed - no carrot, no stick, no clout, no bully pulpit, not one damn thing. But you've got to start somewhere.
Email Bruce Sterling at bruces@well.com.VIEW
Advice for the Cyber Chump, er, Czar
