Yoran’s Departure – A New Impetus For Cyber-Security Regulation?

by on October 3, 2004

Amit Yoran is gone. And he might as well be saying how can a cybersecurity czar help online security when the Administration sends out signals of “wrong war, wrong place, wrong time?”

The news reports say Yoran’s departure was a result of his wanting more authority to address cybersecurity issues. As the director of the National Cyber Security Division, he was charged with implementing President Bush’s “National Strategy to Secure Cyberspace.” Will there now be a call for more government involvement in cybersecurity? Does cybersecurity warrant Assistant Secretary status within DHS, a position that has direct access to Secretary Tom Ridge?


In an article I wrote last year when Yoran was first appointed, I argued that the federal government has a role to play in cybersecurity, but that it should not be in the business of regulating private sector security. Mandated security audits, stringent liability rules, or minimum standards would not necessarily make software and networks more secure than would a more market-based approach, though it would surely help employ more security consultants and increase the bureaucracy and costs for industry.

I think that the pressure will be to nominate someone that will advocate for more government involvement.  If Kerry is elected, this nominee might be part of his “plan” for funding Homeland Security. Or if Bush is reelected, he may refer to how it’s “hard work” to protect the homeland, and that means an increase for the status of cybersecurity in DHS.

Maybe this will increase the pressure for Congress to act, conflating cybersecurity with spyware and increasing the chances for a spyware bill.

There are those that say that the risks for a “cyber attack” are overstated. There will be no big bang – no power plant or dam that will suddenly be taken over. Instead, it will be a “death by thousand cuts” attack, and while anything is possible with smart hackers, we’re more at risk with a good ol’ fashioned physical attack or insider job than we are to a cyber attack.

I don’t think cybersecurity warrants Assistant Secretary status at this time.

Comments on this entry are closed.

Previous post:

Next post: