US President Obama has recently announced some potentially valuable cyber security efforts. A national cyber security policy is necessary and I look forward to hearing more about implementation of these efforts. In reading about cyber security and policy I recently ran across the Mercatus Center at George Mason University.
According to the Mercatus Center’s FAQ, “The Mercatus Center is a university-based research center dedicated to bridging the gap between academic research and public policy problems. “ That sounds especially valuable in the cyber security arena where hype and ignorance often combine to make it difficult even for practitioners to sort out truth from exaggeration. Cyber security is only one interest area for the Center.
With research report titles such as “Why the Cybersecurity Framework Will Make Us Less Secure” and “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” the cyber security research at the Mercatus Center is clearly provocative and timely. The reports are not just critical (when the are so), they also offer alternatives and recommendations. They certainly make one think about the issues they discuss.
In my mind, cyber security is way too important an issue to allow policy to be implemented without critical analysis. One paper on the Mercatus cyber security page addresses the market and cyber security. I recall when the Internet was still the ARPAnet and access was quite limited. I also remember the phenomenal growth the ‘net has had since it was opened to the market and basically free from government intervention. This paper discusses market factors in security and potential issues of excessive regulation. It is well worth reading.
Too often, government and corporate security policy is created without sufficient input from technically-savvy individuals. This leads to – among other things – unworkable policies and unintended consequences. We discuss this issue from the stand point of organizational policy early on in Learning Tree’s System and Network Security Introduction; we do not however discuss it as a factor in national policy.
I firmly believe that when it comes to national policy, a market-based approach is necessary and appropriate, but as the referenced Mercatus paper points out, the negative externalities make increased regulation and government policies attractive to some. I don’t think throwing money, rules, and regulations at the problem will help significantly. What I think will help are education, good design, and most importantly a proper attitude toward cyber security. We know the importance of keeping our wallets and billfolds safe when we are out; we watch our credit cards carefully to avoid them getting stolen: we have a security mindset when it comes to our personal financial resources. What we need to develop – and encourage in others, both businesses and public organizations – is a security mindset when it comes to cyber resources. This blog and our introduction to security course are ways I’m personally trying to do that.
To your safe computing,