Think tank releases cybersecurity roadmap for Obama administration

The Center for Strategic and International Studies, a D.C. based think tank, has released their recommendations for a national cybersecurity policy for the incoming presidential administration. The policy guidelines, if implemented, will have a significant impact on the software landscape that reaches far beyond the borders of federal employment and purchasing.

The majority of the report discusses changes to the bureaucratic structure of the government to streamline decision making as well as defining an official and stated military policy for defending cyberspace for the purposes of deterrence. Two of their policy recommendations, namely the use of the government’s purchasing power for improving information security as well as development of a standardized strong identity management system, will both be “good things” for everyone in government and industry alike.

One of the most effective tools we have as a society in making the world bend to our will is economic policy. We can use price pressures and tax breaks to coerce people to do many things, such as drive less, emit less carbon, and save for retirement. If a major party in an economic system makes a unilateral decision to only purchase products of a certain quality, then the entire market will be forced to adopt the product. A government mandate that requires software to be of a certain quality and contain a minimum of defects, defined by a standard metric, will raise the quality of software for the entire industry.

Identity management and verification systems used on the Internet are a collection of ad-hoc solutions that were implemented out of necessity without much thought towards design and maintenance. Answering the questions “who is behind this network traffic” or “should I allow this TCP session to continue” provide no definitive answers as the decision trees used to answer these questions usually terminates before we can positively identify the root-cause actors. Without being able to make such an identification, correct identification of a spammer behind a webmail system or a user on a social network is incredibly difficult.

Even if you don’t sell directly to the government, you should read this report as policies based upon this report will have an impact on your information security work.