Can We Secure Government Networks? Yes, We Can, Theoretically

Government networks face a lot of threats, as private networks do, and securing either is a complicated and expensive process. It's not just a matter of exhibiting leadership.

The pressure is on President-elect Obama to make cyber-security a priority issue. What can the government, let alone the president, do about this? Obama has said, "As president, I'll make cyber-security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber-adviser, who will report directly to me."

My guess is that President Obama's national cyber-adviser will run into the same problem that previous attempts have found: No section of the federal government is interested in giving up control over the security of its own computers. There can be, and are, standards for the security of systems in federal networks. The standards are modest and not well adhered to, and they don't include any clear penalty for noncompliance.

If the implication of Obama's plan is that there will be some IT security czar or agency in charge-currently the OMB (Office of Management and Budget) seems to have the main role in the standards I mentioned-of setting and enforcing IT security rules, I have to say it's hard to imagine him, her or it succeeding.

There were a bunch of people more or less in this role in the Bush administration. Remember Richard Clarke? Amit Yoran? Greg Garcia? Some people would dismiss these people as ... well, they worked for Bush so they must be corrupt or incompetent or, in Richard Clarke's case, defeated by the forces of corruption and incompetence. I figure the truth is different and more discouraging.