Sunday, March 27, 2011

The Limitations Of Voluntary Efforts

James Lewis of the Center for Strategic and International Studies (CSIS) is one of my favorite figures in the world of cybersecurity.  I would venture that both Mr. Lewis and the very wise Michael Assante truly get at the heart of the issues we face in the world of cybersecurity like no others.  They do not cover everything, but the issues they do discuss are profound in nature.

Both Mr. Lewis and Mr. Assante like to use analogies as part of their discussions, and I like that as well.  Michael Assante co-wrote a great piece on Roman Aqueducts with current NERC CSO Mark Weatherford (Assante is the former CSO), where they use analogies to compare Roman Aqueducts to the Smart Grid.  I do not want to go into detail about the article, so make sure you read it.  I can assure you it is quite well done.

James Lewis likes to keep things a bit closer to home, and uses a somewhat Socratic method to stimulate critical thinking.  This is extremely evident in a recent testimony to the House Committee on Homeland Security.  In his testimony, Mr. Lewis makes a number of absolutely wonderful points, but the part that resounded with me was the following:

"There is no other area of national security were we rely on voluntary action reinforced by incentives. A policy of voluntary efforts for better cybersecurity reinforced by incentives is not a serious effort to protect national security against real damage and a growing threat. These proposals are best seen as intended to block reform rather than to promote cybersecurity."

In order to understand this, we need a little background.  Nearly all progress being made on cybersecurity in the USA is due to voluntary efforts.  I personally volunteer my time to participate in NIST, OpenSG, and DHS working groups to address cybersecurity for the Smart Grid, as well as additional work I do for California for health care security.  This is not an altruistic endeavor.  My incentive to do so is either because I am paid to do so by a client, or because I want to develop a skill and become a subject matter expert for the purpose of exploring opportunities for commerce.  This works out well in my case, because my efforts have helped me pay my bills.  I am not getting rich doing this, but I am also not eating ramen noodles for dinner every night.

As it turns out, I am not alone.  There are literally hundreds (if not thousands) of people volunteering their efforts to the cause for the same exact reasons.  Of those, about 5% to 10% regularly contribute something besides attending a meeting or a conference call.  There is some progress being made, but it is slow, and most of it has no teeth whatsoever.  Why is that?  Because nobody is in charge, and since there is no consideration for efforts, there is nothing anyone in charge could do anyway.

Don't misinterpret what I am saying here.  I do not believe voluntary efforts are a bad thing.  Heck!  Our US Voluntary Militia of the 1700's did a fine job whooping some butt back in the day.  Yet one has to understand that once the threat turned into a battle, it was no longer a good idea to sit around and hope that the local blacksmith was going to show up for an attack against the Redcoats.

What our Congress seems to not "get" is that we are currently fighting a daily battle against the bad guys, and the bad guys are winning.  We are not fighting a war in the "classic" sense, but we are definitely getting our butts kicked more often than we would like to admit it.  It leads one to question just what does Congress and our President use as a determining factor for pouring money into a national security effort.  In fact, I wonder if national security really has anything to do with it at all.  When we light up skies overseas with bombs, and take down villages on the ground, are we doing this to protect anything, or are we simply trying to show the world that we still have plenty of firepower to go around?  Are we protecting our interests, or are we trying to get the President re-elected, or is a member of Congress trying to get re-elected, or more campaign contributions, or whatever?

Of course it could simply be that Congress and Mr. President simply do not feel the battle, because most of what goes on in the world of cyber attacks is not broadcast on the nightly news, and even if it was it is not likely to have the impact of bombs dropping and villagers screaming with blood running from their temples.   It could also be tradition.  Our Congress is all about tradition in many ways, and one of them is the long tradition of spending a lot of money overseas fighting battles, and NOT fighting domestic cybercrime.  Sure, there have been some token payments, but nothing approaching the billion dollars per day we are now spending fighting wars overseas.

At my last Smart Grid Security Conference I had two people from state public utility commissions as speakers.  Bill Hunteman from the US Department of Energy (a great and intelligent person, by the way) told me he was pleased to see that the PUC's were willing to send them to events such as mine where they can interact with others and discuss cybersecurity issues.  When I told Mr. Hunteman that the only reason they came was because I paid for their travel expenses, he was surprised to hear that state PUC's had no budget for such events.  This is particularly alarming when you consider that state PUC's are tasked with making decisions about cybersecurity for all of the distribution and "user" portion of the Smart Grid (i.e. Smart Meters, Advanced Metering Infrastructure, Home Area Networking), and nobody at the Federal level has any authority over this.

Think about this for a moment.  We have 50 states with public utility commissions who have little or no budget allocated for cybersecurity expertise being tasked to come up with rules for Smart Grid cybersecurity.  That is perhaps as effective as gong to your state Department of Motor vehicles and asking them to come up with some rules for earthquake proofing their spare time, with no budget for hiring bridge experts.

So hopefully, once we are done starting new wars with countries, and have wrapped up some of the other wars we are fighting, our government will consider funding some of the efforts to deal with our coming cyberwar, because once the daily battles turn into a full blown war, we are not going to be ready for it.

Not at this rate.

No comments: