Shostack + Friends Blog Archive


"What's The Cybersecurity Czar's Job?"

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place.

says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly argues that neither of these require a “Czar.”

There’s a third role, which I think that the government might be able to play well, and that is helping us collect information. Today, being broken into is seen as an embarrassing failure. In many ways, it is. But, given the number of cases the cops are dealing with, its also very common. Much more common than you’d think. The federal government, either the FBI or DHS ought to be collecting crime statistics. They ought to be studying crime, and publishing analysis. The reporting of crime ought to be made mandatory, especially if there’s a financial impact. The analysis they do ought to be pinpointing common factors which do or don’t exist. (What the industry, without a trace of irony, calls “best practices.”)

This doesn’t require a “czar,” either, but its important, and its a role that only a government or insurer can effectively play.