Let’s All Declare Success and Go Home

By Phil Reitinger

A couple of weeks ago my GCA blog looked back at PDD-63 to see what its predictions and goals told us about today.  This week, I take look at a seminal document, The National Strategy to Secure Cyberspace, released about a year and a half after the terrorist attacks of September 11, 2001.

So what does this document reveal?  Most notably, that there were some wicked-smart people working for Richard Clarke and Howard Schmidt at the President’s Critical Infrastructure Protection Board.  Large sections of the document could be cut-and-pasted into a document being written today, and we are still working on many of its recommendations, which are still on point.  For example, Action/Recommendation 2-8 called on the software industry to promote more secure out-of-the-box installation and implementation of their products.  To this day, efforts continue to promote Secure Development Lifecycles for software and secure configuration for organizations, like those from the Center for Internet Security.

The document was criticized at the time by some for its over-reliance on market-based solutions and public-private partnerships, including being “sixty pages of nothing” because it did “not propose any new laws or…regulations.”  It is true that the document is sixty pages long (even excluding the executive summary) and has forty-seven recommendations.  However, and I say this as documented supporter of additional cybersecurity regulatory requirements, that the criticism then went too far.  The rubric suggested by the National Strategy for government involvement is a good one – for example, protecting essential government services, where there is market failure, and where there are incentives problems (see p. ix).  I disagree with how the Strategy applies this test, concluding “the market itself is expected to provide the major impetus to improve cybersecurity.” But that’s a fight that is unresolved to this day, and the view espoused in the National Strategy is still the majority one in the US, although not my own.  Cybersecurity isn’t a market-only responsibility, but I digress.

Instead, I believe the National Strategy offers an equally important lesson – measurable goals are critical to achieve real progress. The forty-seven recommendations I mentioned above are chock full of “encourage,” “raise,” “develop,” “lead,” “examine,” and worst of all, “encourage…to consider.”   It’s not that these recommendations are toothless but that they are vague.  There are a few “create” and “establish” verbs, while binary, can at least be judged as successful or not.  How do you determine that a leader is effective or an examination sufficient without real goals? When one’s goal is to examine, then you can be successful and go home at the end of the day, even if the problem is still as bad or worse.  The reality that the recommendations and observations of the National Strategy are still so applicable today tells us that we have not come nearly far enough.

The National Strategy was a ground-breaking document at the time, and I applaud it and its authors.  However, we need to go further; we need measurable goals and real accountability.  We cannot “encourage to consider,” we must measure effect.

The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance

You can follow him on Twitter @CarpeDiemCyber.