Op Ed in Wednesday's Wall Street Journal calls for creation of one. The writers want to consolidate some 11 existing cyber security agencies into one new cabinet level department. Like we did creating the Homeland Security Dept some 15 years ago. Sounds cool. I wonder what such a new bureaucracy would do, other than draw their pay. The writers by the way, both work for Sullivan and Cromwell, a law firm doing cyber security work. They probably figure that a big cyber security department could write bigger contracts that 11 smaller ones.
There are probably 300 million computers in the country, pretty much all of 'em running Windows, the world's most vulnerable operating system. Some fraction of these (1/10th? 1/4?, maybe even 1/2?) have critical data, voter registration, credit card data, phone bills, driver registrations, title deeds, stock ownership, bank accounts, and more. Destruction or even just tampering with any of this stuff would cause all sorts of havoc. Not to forget national security stuff , codes, ciphers, location and numbers of nuclear weapons, plans for warplanes, operational orders, size and strength of the armed forces, war plans, effectiveness of weapons, and more. And finally there is control of things like the electric power grid, nuclear power plants, the phone network, the Internet, even city traffic lights. Putting out the lights, even just fouling up the NYC traffic lights would be very very expensive.
Keeping all this stuff secure is low level work, the system administrator of each of how many million computers, has to insist on strong user passwords, disabling passwords of employees leaving the outfit, weekly backup, keeping each machine up-to-date on Microsoft patches, keeping critical machines in locked rooms, insisting on periodic password changes, searching for and eradicating malware, insisting that only one firewall machine be on the public internet all the rest go thru the firewall machine to get to the net. It's the unsung efforts of a vast number of low level workers that keeps us as secure as we are. I don't see how a high level cyber security department would help out here.
Users, commercial, military, and state, ought to come together and pressure Microsoft to close the many gaping holes in Windows security. Microsoft ought to disable autorun (we spread Stuxnet on the Iranians via autorun). Microsoft ought to remove the Basic language interpreters inside Word, Excel, and probably other stuff. The Basic capability is never used by real users, and allows damaging malware to be hidden inside harmless looking documents, sent as e-mail attachments to infect victim computers. And there are dozens of other Windows loopholes that anyone versed in Windows internals can tell you about. Concerted pressure from all users might shape the Microsofties up.
As for the controlling of things, electric power generators, transfomers, trains, rolling mills, air traffic, etc. One simple rule will do a lot of good. Never pass control or monitoring signals over the public internet or the public telephone network. Run your own dedicated line, preferable fiber optic, preferably on your own poles. Make it so hackers would have to climb a pole and tap a line to gain control. Fiber optic is much harder to tap than traditional copper pairs.
We have a huge army of under employed lawyers in this country. Tell the affected companies that we will sic those lawyers on them should they equipment fail because some hacker gained control over the internet. Keep it off the internet and we will be much safer.