Federal IT strategy, hope over reality
Lawmakers strike new tone with proposed bill
The purpose of this bill was to give the president the ability to declare "a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network". This bill was a triumph of hope over reality and, for so many reasons, a very bad idea.
A new version of the draft, now elevated to be bill S.773, the "Cybersecurity Act of 2009", reappeared Aug. 19 and the changes compound the poor thinking of the original with further vagaries that make the whole idea as ludicrous, impractical and dangerous as the draft (see the excellent Web site OpenCongress.org for the bill's details).
Here's the biggest problem with the bill: Even if such a set of controls and powers could be put in place, who is going to be put in charge of the mechanics of making the provisions of the bill actually happen?
Presumably someone with the title of, say, "Federal Chief Information Officer"? That, my friends, would be one Vivek Kundra, who was, as they say, "tapped" (which always makes me think of something one would do to a keg of beer rather than to a person) for the post by President Obama with much fanfare earlier this year.
Kundra has just been the focus of a small storm of journalistic silliness started by the columnist and blogger John Dvorak. Dvorak stitched together some misinformation and then branded Kundra as "a phony." Strong words indeed and words, as it turned out, that were wrong.
The facts are that Kundra's resume is, as far as I can determine, pretty much what it claims to be, and there in lies the problem that he faces: How can Kundra, with his good but not sensational resume, take on something as complex, nay, as fiendishly labyrinthine and siloed, as the federal government and try to get all of the stakeholders to march in lockstep over an issue as little understood as cybersecurity.
It is, I contend, one of the dirty little secrets of the industry that, while most of IT professionals do a great job keeping the business running, there's a lot of stuff kept together with the digital equivalent of baling wire and chewing gum. And that's just the operational stuff. When it comes to security the baling wire looks more like hairy string and the chewing gum more like hope.
Now, if you are a security guy reading this please understand I'm not impugning what you do, or rather, what you try to do. It's just that if economics is called "the dismal science" then IT security should be called "the impossible science." Show me an enterprise that has bulletproof security and I'll be happy to introduce you to Santa Claus.
Kundra's job is, in reality, impossible, and all he will be able to do are spot fixes for a limited range of strategic federal IT issues. Moreover, when it comes to implementing something as enormously complex as the Cybersecurity Act of 2009, the task is just too big for anyone, or for that matter, any group.
It's not that Kundra shouldn't try to make things happen in his new role, but let's get real: He can't and won't succeed when it comes to this bill and the same applies to most of the strategic issues that face him. No amount of hope can trump that particular reality.
Gibbs has given up on hope in Ventura, California. Your reality to email@example.com.