- Create a comprehensive national security strategy for cyberspace.
- Lead from the White House.
- Reinvent the public-private partnership.
- Regulate cyberspace.
- Authenticate digital identities.
- Modernize authorities.
- Use acquisitions policy to improve security.
- Build capabilities.
- Do not start over.
Why does the receptionist need a computer? Well, she needs to take VOIP calls. We can do that with a simple VOIP phone. She needs to know the schedule and set the schedule. So give her access to Exchange, or better yet, through Outlook Web Access, so her computer isn't able to do anything other than connect to port 443 on a server that you run. Sure, it sucks to be her, because she can't use instant messaging, but I think we're starting to see enough personal devices that include mobile IP that said receptionist can have many capabilities that allow her to retain an online presence that does not intermingle with government network assets.
I work in these environments constantly. And, in these environments, we have continual, intentional or accidental, intermingling of data. This leads to situations where we have malware on either privately-owned (as in, a government contractor) or government-owned (or government-furnished) equipment. I cannot reveal the name of the employer, but I will say that I have seen a computer which was infected with software that copied the users to places in Egypt, and that the data onboard the machine was, individually, unclassified. As an aggregate, however, it painted a very real, classified, picture of what several agencies were doing. This happens every. single. day.
It's going to really suck to lock down non-work-related usage of the internet while working for the government, but I guarantee it will suck less than the first time we have a serious attack that either costs us data (on, for example, a classified weapons system; this would effectively toss billions of dollars out the window) or critically injure our infrastructure (by, say, destroying or preventing access to, satellite telemetry, vital routers and network choke points, or by shutting off entire buildings or agencies from the internet and other networks). When that happens (and it will), the effects will be devastating, and we'll be doing everything then that we should be doing now, even though doing it now hurts.
I don't want to have internet access taken away from me at work any more than anyone else does. But, I'll survive.
The other things, like "lead from the white house" and "create a comprehensive strategy for cyberspace" are laughable on their face. I see job postings on dice.com and monster.com, and the usual suspects like clearedjobs.com for people with twenty years in the intelligence community. Folks, the problem is the people doing this stuff are horrible at their jobs. They haven't moved fast enough. They're dinosaurs. Sure, they know how to tie a tie, wear expensive, well-cut suits, wear a Rolex, and are working on their golf handicap (whatever the fuck that means). But these are the same people who don't understand the belief that "once somebody has physical access to a machine, assume they are the superuser." These are the people that say, "well, it's got a firewall, what's the worst that could happen?" These are the people that say, "well, our IT guys all have ten years of experience and are CISSP's."
I want to take them and grab them by the ears and shake them till their Rolexes and jackets fall off and yell HEY IT'S NOT FUCKING WORKING, DO YOU GET THAT? What they've been doing since 31 Dec, 1969, is utterly failing to secure their own assets on the (inter/arpa/sipr/nipr/you-namer-it)net.
Let's make one assumption here. The internet, as a whole, is every bit as bad as Neal Stephenson has described it. There are walking, talking, six-foot penises out there. There are dudes with machine guns in suitcases called "reason." And yeah, I am sure there's a guy out there with his own nuke.
If we make that assumption, we realize, whoa, we really don't want to be there. We also realize that there is absolutely zero way to regulate or authenticate that part of the network. It is self-evolving (can any of these guys in the white house explain what BGP is?) and defies blocks and obstructions, by design. Furthermore, when somebody comes along with a way to disrupt it, new technologies emerge to counter the disruption. Bittorrent and Tor are just two ways of doing this; I've demonstrated that even TDMA, that lowly protocol we discarded a long time ago (unless you're a Viper jock), can be used to seriously hinder listening, and to defy disruption.
So, let's not even try to secure the internet. Let's do something a little easier. Let's take the government out of the internet. Let's break off NIPRNET from the Internet, and let's severely restrict network access to all but those who fundamentally require access. Give them personal terminals in the shape of phones, Origami, and other ultrathin devices (no, not sunrays, sorry) that are their responsibility, that they pay for, that they support, and they do not connect to the network. Epoxy the usb ports shut. Cage the network cable to both ends – the machine and the wall – and make sure there's no goddamn inductive pickup on it. Require multifactor authentication, like RSA tokens, CAC, and biometrics (and yes, some of them are a lot better than others). This, combined with physical access strictures, will prevent the vast majority of government compromises, and will also make finding the breaches far, far easier.
Before you do that, you have to decide who lives on the network and who doesn't. This is pretty easy, actually. Refer to EO 13228, Critical Infrastructure Protection, by, surprisingly, the Bush administration. If your name's in there, or rather, you're implementing it, congratulations, your instant messaging is now gone. That laptop you take home nightly? Gone, too.
People talk about an insecure power grid, insecure nuclear reactors, insecure FAA communications, insecure banking. Well, folks, fucking secure them. Airgap the FAA, government-owned power facilities, and legislate airgapped institutions that fall under 13228 – yep, banking, that means you. yep, telecom, that means you. In other words, if you want to do business on the scale that, say, Wells Fargo does, you've got to prove that you don't have overlap with the internet. Remember. Six foot tall, walking, talking penises, nuclear weapons, and machine guns in suitcases.
The bottom line is thus. There are two problems for this 44th president.
The first is that there is nobody he's thinking about, and nobody (well, I can think of two people, but I won't name them here) in the entire government information infrastructure is even remotely qualified to do the things that need to be done. Those things will be really hard, not because they're difficult, but because it will piss off everyone from your receptionist to the joint chiefs. If you want to treat this seriously (hey, the Chinese are), you will ignore that bitching and moaning and jfdi. That person is going to be real unpopular, and is going to need support from either the executive or judicial branch so they can reorganize, fire, and redefine with impunity. It's unfortunate that the executive and judicial branches are both so out of touch with reality that they couldn't pick such a person if they knew they needed to. (Hey, Obama, if you're reading this, drop me a line, and I'll let you know who those people are.)
The second is you have to realize that today, 2008, almost 2009, is far too fucking late to secure the internet. It's the wild goddamn west, only instead of gold rushes and train tracks and civilization, Wyatt Earp and other good guys, it's going to get worse, and worse, and worse. People are going to continue to lose money because they're stupid, people will get killed, entire networks will go down, and that's the way it is. So, GTFO. You have lost the war, and you think you haven't even started the war. Fire anyone who tells you they can secure your networks. They clearly have no idea what is going on out there.