The sudden resignation of Amit Yoran, the Department of Homeland Security’s “Cybersecurity Czar”, reportedly due to frustration at being bureaucratically marginalized, has led to calls for upgrading of the position, from the third- or fourth-level administrator billet that Yoran held, to a place of real authority in the government. If you’re going to call someone a czar you at least ought to give him some power.
But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place.
One uncontroversial aspect of the job is to oversee the security of the government’s own computer systems. Doing this will require the ability to knock heads, because departments and offices won’t want to change their practices and won’t want to spend their budgets on hiring and retaining top quality system administrators. That’s one good argument for upgrading the czar’s position, perhaps affiliating it with a government-wide Chief Information Officer (CIO) function.
A harder question is what the government or its czar can do about private-sector insecurity. The bully pulpit is fine but it only goes so far. What, if anything, should the government actually do to improve private-sector security?
Braden Cox at Technology Liberation Front argues that almost any government action will do more harm than good.
In an article I wrote last year when Yoran was first appointed, I argued that the federal government has a role to play in cybersecurity, but that it should not be in the business of regulating private sector security. Mandated security audits, stringent liability rules, or minimum standards would not necessarily make software and networks more secure than would a more market-based approach, though it would surely help employ more security consultants and increase the bureaucracy and costs for industry.
Certainly, most of the things the government can do would be harmful. But I don’t see the evidence that the market is solving this problem. Despite the announcements that Microsoft and others are spending more on security, I see little if any actual improvement in security.
There’s also decent evidence of a market failure in cybersecurity. Suppose Alice buys her software from Max, and Max can provide different levels of security for different prices. If Alice’s machine is compromised, she suffers some level of harm, which she will take into account in negotiating with Max. But a breakin to Alice’s machine will turn that machine into a platform for attacking others. Alice has no incentive to address this harm to others, so she will buy less than a socially optimal level of security. This is not just a theoretical possibility – huge networks of compromised machines do exist and do sometimes cause serious trouble.
Of course, the existence of a problem does not automatically imply that government action is required. Is there anything productive the government can do to address this market failure?
I can see two possibilities. The first approach is for the government to use its market power, as a buyer of technology, to try to nudge the market in the right direction. Essentially, the government would pay for compromise-resistance, beyond its market incentive to do so, in order to bolster the market for more compromise-resistant software. For example, it might, in deciding what to buy, try to take into account the full social cost of potential breakins to its computers. Exactly how to make this happen, within a budget-conscious bureaucracy, is a challenge that I can’t hope to address here.
The second approach government might take is to impose some form of liability, on somebody, for the types of security breaches associated with this market failure. Liability could be placed on the user (Alice, in our example above) or on the technology vendor. There has been lots of talk about the possibility of liability rules, but no clear picture has emerged. I haven’t studied the issue enough to have a reliable opinion on whether liability changes are a good idea, but I do know that the idea should not be dismissed out of hand.
What’s clear, I think, is that none of these possibilities require a “czar” position of the sort that Yoran held. Steps to improve cybersecurity inside the government need muscle from a CIO type. Changes to liability rules should be studied, but if they are adopted they won’t require government staff to administer them. We don’t need a czar to oversee the private sector.