Thursday, January 14, 2016

McAfee on Cyber Security

John McAfee seems to consider cyber security the marquee issue for his presidential campaign. See his op-ed at Business Insider yesterday and his campaign position paper on the subject.

Coming at it from two directions -- "as a libertarian" and "on pragmatic grounds," I find his concerns quite relevant but his approach an epic fail.

Short version: McAfee wants to create a cabinet-level "Office of Digital Transformation" to do a couple of things -- bolster US cyber security and create a genuine retaliatory capability -- and to pay for that program with savings from disbanding the Transportation Security Administration.

Hey, I'm down with abolishing the TSA, and not just because of the cost savings that would accomplish for American taxpayers.

But, as McAfee seems to recognize -- in various places, on various issues, even including this one when he STARTS to talk about it -- government does not and cannot do anything well, or efficiently, or cheaply, or morally.

Even if his "Office of Digital Transformation" does as he suggests and hires the best "white hat" hackers it can find to do the things he thinks needs to be done, the ODT will quickly become just another bureaucracy full of featherbedding careerists and the US will remain vulnerable to the dangers McAfee perceives.

If I was designing a US cyber security strategy, I would come at it more like this:

  • De-governmentalize and de-centralize as much critical cyber-infrastructure as possible. A diffuse threat requires a diffuse defense, and this is as true of cyber war as it is of terrorism or anything else. The vulnerabilities McAfee wants to address are baked in to the structure of political government as we know it and can't be taken out of that structure short of abolishing the system (to which I say yay!, but which is unlikely in the near term). So, step one would be to have government be in charge of as little as possible (preferably, nothing at all), and DEFINITELY not in charge of cyber security. Let a thousand private sector solutions bloom.
  • If the government is allowed to continue to do some things, those things should be done in the most primitive, analog, un-wired ways possible. A Treasury employee should have an abacus, not a PC, on her desktop. Or at least have the necessary skill set to use that abacus if that PC should happen to decide it no longer works for the US government. Government computers shouldn't be connected to public networks "just because;" only if and when absolutely necessary. You know how your machine automatically connects when you boot up these days? Government computers should make it HARD TO CONNECT so that they are only connected when a conscious decision to connect, based on an important reason for connecting, has been made.
  • To the extent that government systems interface with the public Internet, there should also be a "bug bounty" program, just like all the big software companies run in the private sector. That's where the "white hat" hackers come in. If there's a vulnerability, it will be found. Right now, it will most likely be found by "black hat" cyber warriors who want to exploit it. But if there's a $10k reward for every vulnerability found and reported, the "white hats" will be in there working just as hard as the "black hats."
Since he's seeking the Libertarian Party's presidential nomination, it behooves McAfee to think through major issues from the most libertarian perspective he can muster. And the past evidence is that he can muster a very libertarian perspective indeed. If he brings that perspective to bear on cyber security, I think his position will evolve to both a more libertarian and a more practical one.

No comments: