American Cyberspace: Can We Fend off Attackers?

Forget It: Bland PR Document Has Only Recommendations

  • Bruce Schneier
  • San Jose Mercury News
  • March 7, 2003

AT 60 pages, the White House’s National Strategy to Secure Cyberspace is an interesting read, but it won’t help to secure cyberspace. It’s a product of consensus, so it doesn’t make any of the hard choices necessary to radically increase cyberspace security. Consensus doesn’t work in security design, and invariably results in bad decisions. It’s the compromises that are harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn’t work because the one crucial party in these negotiations—the attackers—aren’t sitting around the negotiating table with everyone else. They don’t negotiate, and they won’t abide by any security agreements.

Drafts of the plan included strong words about wireless vulnerability, which were removed because the wireless industry didn’t want to look bad. Drafts included a suggestion that Internet Service Providers supply all their users with personal fire walls; that was taken out because ISPs didn’t want to look bad for not already doing something like that. There’s nothing in the document about liability regulation, because the software industry doesn’t want any of that.

And so on. This is what you get with a PR document. You get lots of comments and input from all sorts of special interests. You get nebulous ideas that sound good but don’t offend anyone. And you end up with a bland document that does little because it demands little.

Much of the document is filled with recommendations and suggestions. For some reason, the Bush administration continues to believe that it can increase cybersecurity simply by asking nicely. This government has tried this sort of thing again and again, and it never works. Businesses respond to business pressures: liabilities, market forces, regulations. They don’t respond to cajoling.

Security is a commons. Like air and water and the radio spectrum, any individual’s use of it affects us all. The way to prevent people from abusing a commons is to regulate it. Companies didn’t stop dumping toxic wastes into rivers because the government asked them nicely. Companies stopped because the government made it illegal to do so.

If the U.S. government wants to improve cyberspace security, it must take action. I like the parts of the document that talk about the government’s own network security, and ways to improve that. I like the parts that talk about awareness and training. I hope there’s actual funding behind those recommendations, and they’re not just idle talk.

But we need more. The government needs to use its considerable purchasing power to fund secure products. And the government needs to pass a law making companies liable for insecurities. If you align market forces with increased security, you’ll be surprised how quickly things get more secure. Leave the feel-good PR activities to the various industry trade organizations; that’s what they’re supposed to do.

This national strategy document isn’t law, and it doesn’t contain any mandates to government agencies. If the government wants a more secure cyberspace, it’s going to have to forget about consensus. It’s going to have to offend people. It’s going to have to lead.

Categories: Computer and Information Security, Laws and Regulations, National Security Policy

Sidebar photo of Bruce Schneier by Joe MacInnis.