Opinion

What Should WH Cybersecurity Coordinator's Job Description Look Like? One Man's View

Part 2 of Ariel Silverston's "Mission Impossible" series: If President Obama's new cybersecurity coordinator is to have any real impact, there are a few things that will need to be worked into the job description.

By Ariel Silverstone, CISSP

Page 2

THREE TENETS
I propose to organize this Herculean effort upon three tenets. These pillars reflect my belief that this is not a job that can be done by one person alone. This role must be supported by an organization, and by the office where it belongs. As I described above, this role's scope is beyond the federal agencies alone. The constant sharing, update, testing, verification and enhancement of the data needed and generated by this role is essential and mission critical.

Public/Private Collaboration
For collaboration to work, a real two-way sharing of ideas is needed. Due to hard and excellent work of many generations of security professionals, the United States government employs some of the brightest minds in the field of information security. The research and development done is paid for, and is done to the benefit of all our citizens. Likewise, innovation is usually seen as the purview of private industry. From Silicon Valley to Syracuse, smart and entrepreneurial men and women have invented and thought, in non-traditional ways, of solutions to problems that are faced by all information users, regardless of the source of their paycheck.

In many countries, sharing of progress is a self-understood, defined, and deeply ingrained process. I propose the official increase of the sharing efforts already done on our shores:

Task 6: Create an Official advisory board of industry and government luminaries to advise the Chief Information Security Officer in his or her duties.

Further, why not utilize the formal organizations within the government, even within the Defense and Intelligence agencies, to advise and test the protective measures, electronic and others, which sensitive industry has in place? While the legal framework for performing such action has to be clarified, doing so will pit the best-of-the-best "red teams" versus the most important private sector data and that data's guardians. Only improvement can come out of such effort.

While I clearly anticipate that this plan will generate a lot of consternation within the reading audience, I sincerely believe that other countries (China, Israel, France, to name just a few) are already, and have for a while, used exactly this type of sharing to the betterment of their nation, and the possible detriment of ours.

Task 7: Recommend legislative changes, where needed, to allow utilization of public capabilities to test and enhance defenses of sensitive industries

Information Sharing

The term "information sharing" is not limited to testing of a sector's capabilities. The Federal government should monitor for directed attacks targeting sensitive industry sectors and both warn targeted companies and participate in the sector's defense. Actively participating in a defense of a pharmaceutical company under electronic attack is not different than assigning an anti-aircraft missile battery to guard the same company's buildings against bombers. Actively warning a bank against a targeted attack is not different than assigning police personnel to guard the bank's entrances.