At RealClearDefense Steve Bucci points out the elephant in the cyber-security room. The U. S. government does a lousy job of protecting itself. How can it be expected to protect the country?
DHS is responsible for defending the “.gov†domain of the Internet. This covers the entire Federal government structure except for the military and intelligence community, as well as many local and state government entities. It is a huge task. Over the years, DHS built up the National Cybersecurity Protection System (NCPS), but done so in a piecemeal fashion. It has been a noble effort, but faced with present threats, it fails pretty regularly. That is unacceptable.
The United States has more computer users than any other country. Indeed, it has more computer users than the next ten countries combined. It has more cellphone users than any country other than China or India.
It doesn’t have the best hackers. That laurel would probably go to Russia, China, and Israel (pretty much in that order).
IMO the United States should adopt two new strategies concurrently. First, recognize that the federal government is not equipped by temperament or culture to protect itself properly. Present a smaller, easier to defend, and much harder to penetrate target. Counter-intuitively, constrain computer use by the federal government much, much more.
Second, harness the power of Americans. Pay bounties. Give awards for hacking. Does the federal government supply scholarship money for ethical hacking? The profit motive is the one motivation we can expect Americans to respond to.
Point 1. You’ll note that virtually every high level decision maker in the Federal government is pushing 70 years old, and learned everything they ever intend to learn about computers and security in the 1960s. You’ll also note these people are NOT computer scientists, and while they proclaim a need for “STEM professionals” they view such people as peons to be ordered about, rather than social equals. These folk are about as likely to likely to cure our problems with cybersecurity as they are to flap their arms and fly.
Point 2. I mutter to myself now and then we need an anti-internet, a computer communications network which in some ways is radically different from what we have. Perhaps users should be authenticated by fingerprint or retinal scans or some separate code transmittal before sending e-mails. Maybe we should charge a penny or two each for messages with the same content beeing sent to multiple addresses. Maybe the system should be financed by user charges, with no advertising allowed. Maybe penalties for misuse — deliberate trolling, libel, fake news, piracy, etc. — should be draconian. Maybe message encryption should be required.
IOW, there ought to be an internet for people who want to exchange pictures of Kim Kardashian’s latest plastic surgery, and another “hard” internet for people who want to transmit legal documents and dispatch orders to troops.
I have to admit, there’s a stumbling block. What do you do if the Commander in Chief takes pleasure in sending out stupid tweets (or their counterparts) on the hard internet? Could that happen?