While we’ve gone close to a decade since 9/11 without airliners smashing into skyscrapers, it is hard to see the Department of Homeland Security as an unvarnished success. Under a variety of directors the department has consistently taken a heavy-handed approach to security that upsets travelers on the left and right alike, relies too much on fear-mongering, and is frequently just plain incompetent. Yet these are the folks who are now about to take over cyber-security, too. I think there is a better way.
According to recent reports there is legislation moving shortly from the White House to Congress intended to put all U.S. non-military cyber-security responsibility with the Department of Homeland Security.
It’s logical, of course, to give policing power to the police. But the policing power we are talking about here is international and domestic, and because of automation would necessarily touch every Internet user, most of them without their knowing they were being touched. Worst of all, there’s a learning curve here, and the people who’ll be climbing that curve are the same ones presently touching our junk down at the airport.
In the 14 years I have been writing this column there have been a number of intrusive security initiatives proposed and abandoned and I have written negatively about all of them. But while I’ve criticized (it is so easy to do, after all) I’ve never proposed an alternative structure… until now.
First let’s admit that there is a huge Internet security problem. Between rogue states, organized crime, industrial espionage, and middle school script kiddies there is plenty of anti-social Internet behavior to go around. Those of us who exist on-line deserve both our privacy and safety from these threats. The problem is that when we invest enforcers with our protection they like to start enforcing before they even know how to protect. Sometimes they enforce and never protect, simply because they don’t know what they are doing.
This DHS cyber-security proposal: we all know it won’t work. How can lawyers and cops expect to build a secure network if they can’t even reboot their PC’s? That’s just wasted money.
So let’s take a lateral approach to this problem and instead of trying to turn cops into nerds, let’s get the nerds organized to better enhance data security for us all.
The model I would propose we follow is that of the Internet Engineering Task force (IETF) — a brilliant structure that has helped the Internet thrive now for a generation.
Why not take this extra money that’s about to be wasted on expanding DHS and instead offer funding for a security task force like IEFT but called the Internet Security Task Force (ISTF)? Industry would get behind it. The IT industry would love it. They’d even help pay for it.
Is your phone ISTF 1.0 compliant? Are your PC’s ISTF 2.0 compliant? You won’t get your ISO or PCI if they aren’t. IT providers would have the ability to recommend and help move us toward a more secure Internet using an open and iterative structure that would encourage what really works and discourage what doesn’t.
But we can’t allow government to take the lead in this, because they’ll just screw it up.
We need to convene a meeting right away to figure out how to organize the ISTF. Then we need to get DHS to oversee ISTF from the perspective of an evolving security process funded by research and corporations instead of GS-15’s with bloated staffs writing plans that will be funded yet fix nothing.
Who will join me at that first ISTF meeting?