Making the Internet Safe

Recently, the white house issued a much anticipated (at least by the IT security community) report titled, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure.

Much of the response has been laudatory, albeit less than wildly enthusiastic. It's easy to understand why. The report says lots of things that are true, and worth repeating. Unfortunately, that's mostly all it does: Say things have have been said before. Earlier versions of these platitudes date back to the Clinton administration (here) A later version created during the Bush administration can be found here. These are but two examples. It is left as an exercise for the reader to find half a dozen more. And now that the much respected Melissa Hathaway, primary author of the report, has stepped out of the Kleig lights, one can almost hear the dust beginning to gather on this report.

Among the many themes that bounce off the walls of this echo chamber, we have:

1. The Internet has transformed American life and commerce.

2. We are increasingly dependent on computers and networks for the operation of vital supply chains, financial markets and various elements of the infrastructure.

3. The complexity, interconnectedness and ubiquity of the Internet make it vulnerable to attack and hard to secure.

4. Attacks have been increasing in frequency, severity and sophistication.

5. Most of the IT communications infrastructure is in private hands.

6. It is important for government and the private sector to work collaboratively to secure cyberspace.

7. It is important to protect the privacy and civil liberties of the citizenry.

8. Responsibility for information security is distributed across multiple departments and agencies in the federal government.

Asleep yet?

The endless repetition of these bromides will not move us forward. Here is what will:

• Creating specific criteria that financial institutions must enforce use when conducting on-line transactions with customers. I don't mean nebulous standards that vaguely outline best practices. I mean specifics like the use of strong authentication.

• Requiring Internet Service Providers to play an enhanced role in protecting the Internet and its users.

• Establishing a mechanism that would allow citizens to establish an on-line identity that is nearly as reliable as the ubiquitous drivers license.

I'll have more to say on these suggestions shortly. (Promise).