Yes a Cyber Czar IS Necessary!

So we've all watched and/or read or read about Obama's cyber security speech today, and his call for a new high level federal "coordinator" to lead the solutions charge.

Some are saying "it's about time", and some are saying "is this really necessary?".

I'm here to tell you YES, it is about time, and YES, it really is necessary. And here's why.

First, speaking at a broad philosophical level, systems tend to optimize locally, for and around local optima. What does that mean you ask? It means for example that Microsoft at one level doesn't really care much about the security of their products...unless and until the lack of security in their products affects their bottom line. Local optimization, for local profits. If the whole country (and world) has insecure s/w as a result, but Microsoft has maximized revenue while minimizing costs (let's face it, it costs more to product high quality secure software that it does to ship garbage), then it's a win for Microsoft!

This applies across the spectrum of computer activities: s/w development, personal computer usage, enterprise systems, you name it. Security is a "as and when needed" component, and the learning of as and when needed is usually driven by the sharp end of a sequence of costly or even crippling attacks. Think about it: when did YOU finally start using firewalls and anti-virus software? I'm guessing that it wasn't until you experience the sharp end of the malware spear!

Now the second point: government, among other things, must serve to guide social action (broadly speaking; I'm including business action here) for global optima, versus pure local optima. Security comes through making security a high priority, across many fields of endeavor that result in computer based "solutions". Government has a wide variety of tools at their disposal to guide social action and thereby drive priorities, including taxation practices, government led investment, and government procurement practices both in the civilian (federal and state government) and in the defense domains. All these need to be utilized in a coordinated manner, to drive computer security in general as a priority, and to drive the specifics of that priority in consistent manner. That level of coordination is NOT going to happen through random, chaotic governmental processes. A high level federal "coordinator" is needed to lead, guide, and drive through multiple areas of government, in a consistent manner and in an aggressive manner.

Of course there are an infinitude of risks here. Largest perhaps are dictates of what "must" happen at an inappropriate levels of specificity, which invite solutions that salute the requirement at a superficial level. Result? More cost for all, and no improvement. Another is requirements that drives lots of bureaucracy that slows down innovation and adoption and deployment of improved security solutions.

These kinds of risks are why, in my opinion, the specific leader chosen is so enormously critical. They must be a solid systems thinker, someone who understands how to enable and support virtuous cycles, rather than merely create more "requirements". How do you enable, drive, encourage and support a security focus through the computer enabled and driven business world...without creating a crippling mess?