Today, and Before

On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator Obama stated:

Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives.

That was a pretty exciting statement to hear!

On February 9, 2009, (now) President Obama appointed Melissa Hathaway as Acting Senior Director for Cyberspace and charged her with performing a comprehensive review of national cyberspace security in 60 days. I interacted with Ms. Hathaway and members of her team during those 60 days (as well as before and after). From my point of view, it was a top-notch team of professionals approaching the review with a great deal of existing expertise and open minds. I saw them make a sincere effort to reach out to every possible community for input.

If you're keeping count, the report was delivered on or about April 10. Then, mostly silence to those of us on the outside. Several rumors were circulated in blogs and news articles, and there was a presentation at the RSA conference that didn't really say much.

Until today: May 29th.

Shortly after 11am EDT, President Obama gave some prepared remarks and his office released the report. In keeping with his July 2008 statement, the President did declare that "our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset." However, he did not appoint someone as a National Cyber Advisor. Instead, he announced the position of a "Cybersecurity Coordinator" that will be at a lower level in the Executive Office of the White House. No appointment to that position was announced today, either. (I have heard rumor from several sources that a few high-profile candidates have turned down offers of the position already. Those are only rumors, however.)

The President outlined the general responsibilities and duties of this new position. It apparently will be within the National Security Staff, reporting to the NSC, but also reporting to OMB and the National Economic Council, and working with the Federal CIO, CTO and the Office of Science and Technology Policy.

The new Coordinator will be charged with

1. helping develop (yet another) strategy to secure cyberspace. This will include metrics and performance milestones;
2. coordinating with state and local governments, and with the private sector, "to ensure an organized and unified response to future cyber incidents."
3. to strengthen ties with the private sector, with an explicit mandate to not set security standards for industry.
4. to continue to invest in cyber (although the examples he gave were not about research or security
5. to begin a national campaign to increase awareness and cyber literacy.

The President also made it clear that privacy was important, and that monitoring of private networks would not occur.

Reading Between the Lines

There were a number of things that weren't stated that are also interesting, as well as understanding implications of what was stated.

First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs. The position reports to several entities, presumably with veto power (more on that below). Although the President said the appointee will have "regular access" to him, that is not the same as an advisor -- and this is a difference that can mean a lot in Washington circles. Although it is rumor that several high-profile people have already turned down the position, I am not surprised given this circumstance. (And this may be why it has been two months since the report was delivered before this event — they've been trying to find someone to take the job.)

The last time someone was in a role like this with no real authority -- was in 2001 when Howard Schmidt was special adviser for cyberspace security to President G.W.Bush. Howard didn't stay very long, probably because he wasn't able to accomplish anything meaningful beyond coordinating (another) National Plan to Secure Cyberspace. It was a waste of his time and talents. Of course, this President knows the difference between "phishing" and "fission" and has actually used email, but still...

Second, the position reports to the National Economic Council and OMB. If we look back at our problems in cyber security (and I have blogged about them extensively over the last few years, and spoken about them for two decades), many of them are traceable to false economies: management deciding that short-term cost savings were more important than protecting against long-term risk. Given the current stress in the economy I don't expect any meaningful actions to be put forth that cost anything; we will still have the mindset that "cheapest must be best."

Third, there was no mention of new resources. In particular, no new resources for educational initiatives or research. We can pump billions of dollars into the bank accounts of greedy financiers on Wall Street, but no significant money is available for cyber security and defense. No surprise, really, but it is important to note the "follow the money" line -- the NEC has veto power over this position, and no money is available for new initiatives outside their experience.

Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts. We already have laws in place and mechanisms that could be deployed if we simply had the resources and will to deploy them. No mention was made at all about anything active such as this -- all the focus was on defensive measures. Similarly, there was no mention of national-level responses to some of the havens of cyber criminals, nor of the pending changes in the Department of Defense that are being planned.

Fifth, the President stated "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." I suspect that was more than intended to reassure the privacy advocates -- I believe it was "code" for "We will not put the NSA in charge of domestic cyber security." Maybe I'm trying to read too much into it, but this has been a touchy issue in many different communities over the last few months.

There are certainly other things that might be noted about the report, but we should also note some positive aspects: the declaration that cyber is indeed a strategic national asset, that the problems are large and growing, that the existing structures don't work, that privacy is important, and that education is crucial to making the most of cyber going forward.

Of course, Congress ("pro is to con as Progress is to Congress") is an important player in all this, and can either help define a better or solution or stand in the way of what needs to be done. Thus, naming a Cyberspace Coordinator is hardly the last word on what might happen.

But with the perspective I have, I find it difficult to get too excited about the overall announcement. We shall see what actually happens.

The Report

I've read the report through twice, and read some news articles commenting on it. These comments are "off the top" and not necessarily how I'll view all this in a week or two. But what's the role of blogging if I need to think about it for a month, first?

It is important to note that the President's remarks were not the same as the report, although its issuance was certainly endorsed by the White House. The reason I note the difference is that the report identifies many problems that the President's statement does not address (in any way), and includes many "should"s that cannot be addressed by a "coordinator" who has no budget or policy authority.

What is both interesting and sad is how much the new report resembles the largely-inconsequential National Plan to Secure Cyberspace issued under the Bush Administration (be sure to see the article at the link). That isn't a slam on this report -- as I wrote earlier, I think it is a good effort by a talented and dedicated team. What I mean to imply is that the earlier National Plan had some strong points too, but nothing came of it because of cost and prioritization and lack of authority.

There are a number of excellent points made in this report: the international aspects, the possibility of increased liability for poor security products and pratices, the need for involvement of the private sector and local governments, the need for more education, the problems of privacy with security, and more.

I was struck by a few things missing from the report.

First, there was no mention of the need for more long-term, less applied research and resources to support it. This is a critical issue, as I have described here before and has been documented time and again. To its credit, the report does mention a need for better technology transfer, although this is hardly the first time that has been observed; the 2005 PITAC report "Cyber Security: A Crisis of Prioritization" included all of this (and also had minimal impact).

The report had almost nothing to say about increasing resources and support for law enforcement and prosecution. This continues to puzzle me, as we have laws in place and systems that could make an impact if we only made it a priority.

There is no discussion about why some previous attempts and structures -- notably DHS -- have failed to make any meaningful progress, and sometimes have actually hindered better cyber security. Maybe that would be expecting too much in this report (trying not to point fingers), but one can't help but wonder. Perhaps it is simply enough to note that no recommendations are made to locate any of the cyber responsibilities in DHS.

There is some discussion of harmonizing regulations, but nothing really about reviewing the crazy-quilt laws we have covering security, privacy and response. There is one sentence in the report that suggests that seeking new legislation could make things worse, and that is true but odd to see.

As an aside, I bet the discussion about thinking about liability changes for poor security practices and products -- a very reasonable suggestion -- caused a few of the economic advisors to achieve low Earth orbit. That may have been enough to set off the chain of events leading to reporting to the NEC, actually. However, it is a legitimate issue to raise, and one that works in other markets. Some of us have been suggesting for decades that it be considered, yet everyone in business wants to be held blameless for their bad decisions. Look at what has played out with the financial meltdown and TARP and you'll see the same: The businessmen and economists can destroy the country, but shouldn't be held at fault.

There is discussion of the supply-chain issue but the proposed solution is basically to ensure US leadership in production -- a laudable goal, but not achievable given the current global economy. We're going to need to change some of our purchasing and vetting habits to really achieve more trustworthy systems — but that won't go over with the economists, either.

There is no good discussion about defining roles among law enforcement, the military, the intelligence community, and private industry in responding to the problems. Yes, that is a snake pit and will take more than this report to describe, but the depth of the challenges could have been conveyed.

As David Wagner noted in email to an USACM committee, there is no prioritization given to help a reader understand which items are critical, which items are important, and which are merely desirable. We do not have the resources to tackle all the problems first, and there is no guidance here on how to proceed.

Summary

I didn't intend for this to be a long, critical post about the report and the announcement. I think that this topic is receiving Presidential attention is great. The report is really a good summary of the state of cybersecurity and needs, produced by some talented and dedicated Federal employees. However, the cynic in me fears that it will go the way of all the other fine reports -- many of which I contributed to -- including the PITAC report and the various CSTB reports; that is, it will make a small splash and then fade into the background as other issues come to the fore.

Basically, I think the President had the right intentions when all this started, but the realpolitik of the White House and current events have watered them down, resulting in action that basically endorses only a slight change from the status quo.

I could be wrong. I hope I'm wrong. But experience has shown that it is almost impossible to be too cynical in this area. In a year or so we can look back at this and we'll all know. But what we heard today certainly isn't what Candidate Obama promised last July.

(And as I noted in a previous post, Demotivators seem to capture so much of this space. Here's one that almost fits.)

If you are in the United States, it has been nigh-on impossible to watch TV, read a newspaper, follow a blog, or (in some states) get your paper mail without something about the upcoming election being present. Some of this has been educational, but a huge amount of it has been negative, vague, and often misleading. That’s U.S. politics, unfortunately—the majority of voters don’t really bother to educate themselves about the issues and the media does an uneven job of reporting the truth. For many voters, it comes down to only one or two issues they care passionately about, and they vote for a candidate (or against one) on those simple issues. For instance, there are many voters who will base their votes solely on a candidate’s perceived position on gun control, access to legal abortions, tax policy, or other single issues without thinking about all the position issues. (And, as I note below, most of these single issues aren’t really under the control of the President no matter who is elected.)

Of course, the US political system tends to reinforce this binary choice procedure, as we have long had only two really major parties. Parliamentary systems seem to encourage more parties, although even then there appears to be only two major ones, often oriented around the same approximate social/political poles: a conservative party, and a liberal (labor) party.

So, in the U.S. we have candidates from both major parties (and many minor ones) campaigning—explaining their positions, offering their plans for when they are in office, and trying to instill voter confidence and trust. (And too often, offering innuendo, misquotes and outright untruths about their opponents.)

What none of them say, and the media doesn’t either, is that very few of the promises can really be certain of being kept. And in large part, that is also a nature of government.

The President has a limited set of powers under the Constitution. He (or she) is responsible for the execution of the laws of the United States. The President is the Commander-in-Chief of all the armed forces and is responsible for commanding them in defense of the country and upholding the law (including treaties). The President is the chief executive agent of all the various Cabinet agencies, and of a number of offices and commissions. The President appoints a large number of officials (including judges and ambassadors), but doesn’t have the power to remove many of them.

Most importantly, the President does not make new laws. Laws are passed by Congress, usually with the assent of the President, although a 2/3 majority of both houses of Congress may pass laws to which the President objects. The President is then responsible for ensuring that those laws are carried out, with recourse to the Courts if there are questions. If the President fails to enforce the laws, Congress may take some punitive actions, or even impeach the President…if they have the political will.

So, back to the candidates. If you listen to their speeches, they offer to change tax law, spend more on energy issues, change health care, and a number of other important domestic issues. What they don’t point out, however, is that they will have no authority as President to do most of those things! Instead, Congress will need to pass authorizing legislation that is signed by the President. The President can certainly propose that Congress enact those changes, but Congress needs to craft and pass legislation that enables the President to act, and that allocate necessary funds, and that also create/remove administrative structures that may be involved. This legislation can include whatever other items that Congress adds in to the bill, including items that may be completely unrelated to the main topic. The President then must decide whether to sign the bill and act to implement its provisions.

So, the most a new President can do is to propose legislation to embody his/her campaign promises, and to work for its passage. What usually happens is that the size of the win in the election serves as a political measure of how much the population is aligned with the new President’s positions, and this can help get a particular agenda passed…or not. Of critical importance is also the issue of whether one or both houses of Congress are controlled by the same party as the new President, and by what margin.

Thus, there should probably be more attention paid to the candidates running for Congress and their particular positions on important issues. In many venues, however, the majority of the attention is focused on the Presidential contest. Some other states are also dealing with contentious state initiatives, tight governor races, and other local issues that help further obscure the Congressional races.

Now, how does this apply to cybersecurity, the ostensible topic of this blog? Or education? Or privacy? Or other topics we focus on here?

Well, as I will address in my next posting, the two main Presidential candidates have made some comments on cyber security, but I have not been able to find any coverage of any current candidate for Congress who has mentioned it. It is basically invisible. So is privacy. Education has gotten a little mention, but not much. And given the more overt, pressing issues of the economy, the deficit, health care, energy dependence, and war in the Middle East, it seems unlikely that any Congressional candidate has bothered to think much about these cyber issues, or that they have received much further thought from the Presidential candidates. (Too bad cyber security can’t be part of the mud slinging—it might raise its profile!)

Of course, with the economy in such sad shape, and some of the other severe problems being faced by the U.S., one might ask whether cyber should be a priority for the new President. I would answer yes, because the problems are already here and severe (although not as obvious as some of the other problems), and it will take years of major effort simply to keep even with the current sad status. The problems in cyber cannot be fixed in a crash effort devoted at any future time, and until they are addressed they will be a drain on the economy (in 2006, the FBI estimated the loss to computer crime in the US to be $67 billion—almost 10% of the recent economic bailout), and a threat to national security. Thus, deferring action on these issues will only make the situation worse; we need to initiate a sustained, significant program to make some important changes.

There are some things that the new President can do, especially as they relate to the military, law enforcement, and some other agencies in the Executive Branch. This is potentially cause for some glimmer of hope. I intend to blog some on that too, with a list of things that should be considered in the new administration.

Over the last month or so, many people who read my first post on Senator Obama’s “security summit” at Purdue have asked me about followup, I’ve been asked “Did you ever hear back from the Senator?”, “Has the McCain campaign contacted you?”, and “What do you think about the candidates?” I’ve also been asked by a couple of my colleagues (really!) “Why would they bother to contact you?”

So, let me respond to these, with the last one first.

Why would someone talk with you about policy?

So, I haven’t been elected or served in a cabinet-level position in DC. I haven’t won a Nobel prize (there isn’t one in IT), I’m not in the National Academies (and unlikely to be—few non-crypto security people are), and I don’t have a faculty appointment in a policy program (Purdue doesn’t have one). I also don’t write a lot of policy papers—or any other papers, anymore: I have a persistent RSI problem that has limited my written output for years. However, those aren’t the only indicators that someone has something of value to say.

As I’ve noted in an earlier post, I’ve had some involvement in cyber security policy issues at the Federal level. There’s more than my involvement with the origins of the SfS and Cyber Trust, certainly. I’ve been in an advising role (technology and policy) for nearly 20 years with a wide range of agencies, including the FBI, Air Force, GAO, NSA, NSF, DOE, OSTP, ODNI and more. I’ve served on the PITAC. I’ve testified before Congressional committees a half-dozen times, and met with staff (officially and unofficially) of the Senate and House many times more than that. Most people seem to think I have some good insight into Federal policy in cyber, but additionally, in more general issues of science and technology, and in defense and intelligence.

From another angle, I’ve also been deeply involved in policy. I served on the CRA Board of Directors for 9 years, and have been involved with its government affairs committee for a decade. I’ve been chair or co-chair of the ACM’s US Public Policy committee for a dozen years. From these vantage points I have gained additional insights into technology policy and challenges in a broad array of issues related to cyber, education, and technology.

And I continue to read a lot about these topics and more, including material in a number of the other sciences. And I’ve been involved in the practice and study of cyber security for over 30 years.

I can, without stretching things, say that I probably know more about policy in these areas than about 99.995% of the US population, with some people claiming that I’m in the top 10 or so with respect to broad issues of cyber security policy. That may be why I keep being asked to serve in advisory positions. A lot of people tend to ask me things, and seem to value the advice.

One would hope that at least some of the candidates would be interested in such advice, even if not all of my colleagues (or my family are interested in what I have to say.

Have any of the other candidates contacted you?

Simply put—no. I have gotten a lot of mailings from the Republican (and Democratic) campaigns asking me to donate money, but that’s it.

I’m registered as an independent, so that may or may not have played a role. For instance, I can’t volunteer to serve as a poll worker in Indiana because I’m not registered in one of the two main parties! I don’t show up in most of the databases (and that may be a blessing of sorts).

To digress a moment…. I don’t believe either party has a lock on the best ideas—or the worst. I’m not one of those people who votes a straight-ticket no matter what happens. I have friends who would vote for anyone so long as the candidate got the endorsement of “their” party. It reminds me of the drunken football fans with their shirts off in -20F weather cheering insanely for “their” team and willing to fight with a stranger who is wearing the wrong color. Sad. Having read the Constitution and taken the oath to defend it, I don’t recall any mention of political parties or red vs. blue….

That said, I would be happy to talk with any serious candidate (or elected official) about the issues around cyber, security, education, and the IT industry. They are important, and impact the future of our country…and of much of the world.

So, has anyone with the Obama campaign contacted you since his appearance at Purdue?

Well, the answer to this is “yes and no.”

I was told, twice, by a campaign worker that “Someone will call you—we definitely want more advice.” I never got that phone call. No message or explanation why. Nothing.

A few weeks after the second call I did get a strange email message. It was from someone associated with the campaign, welcoming me to some mailing list (that I had not asked to join) and including several Microsoft Word format documents. As my correspondents know, I view sending email with Word documents to be a bad thing. I also view being added to mailing lists without my permission to be a hostile act. I responded to the maintainer of the list and his reply was (paraphrased) “I don’t know why you were added. Someone must have had a reason. I’ll check and get back to you.” Well, I have received no more email from the list, and I never got any followup from that person.

So, in summary, I never got any follow-up from the campaign. I don’t think it is an issue with the Senator (who wouldn’t have been the one to contact me anyhow) but a decision by his staff.

So, depending your level of cynicism, the mentions of my name, of CERIAS, and of follow-up was either (a) a blown opportunity caused by an oversight, or (b) a cynical political ploy to curry local favor.

(My daughter suggested that they are waiting until after the election to appoint me to a lofty position in government. Uh, yeah. That probably explains why I haven’t gotten that MacArthur “genius grant” yet and why Adriana Lima hasn’t called asking me to run away with her—the timing just isn’t right yet.

What are your opinions on the Presidential candidates?

I’m not allowed to be partisan in official Purdue outlets. So, in some further posts here over the next week or two I will provide some analysis of both major candidates (NB. Yes, I know there are over 300 candidates for President on the ballots across the country. However, I don’t think there is much chance of Baldwin, Barr, McKinney, Nader, Paul or the rest getting into office. So, I’ll limit my comments to the two main candidates.

If you really want to know who I’m probably voting for, you can see my Facebook page or send me email.

[Update 10/16: After this was published I sent a link to this entry to several people associated with the Obama campaign. Only one responded, and it was clear from his email that there had been a mixup in getting back to me—but no interest in rectifying it.]

[Update 7/17: Video of the Senator’s opening remarks and the panel session (2 parts) are now online at this site. I have also added a few links.]

This story (somewhat long) is about Senator Barack Obama’s summit session at Purdue University today (Wednesday, July 16). on security challenges for the 21st century. I managed to attend, took notes, and even got my name mentioned. Here’s the full story.

Prelude

Monday night, I received email from a colleague here at Purdue asking if I could get her a ticket to see Senator Obama on campus. I was more than a little puzzled — I knew of no visit from the Senator, and I especially didn’t know why she thought I might have a ticket (although there are people around here who frequently ask me for unusual things).

Another exchange of email resulted in the discovery that the Senator was coming to Purdue today (the 16th of July) with a panel to hold a summit meeting on security issues for the 21st century. Cyber security was going to be one of the topics. The press was told that Purdue was chosen because of the leading role our researchers have in various areas of public safety and national security — including the leading program in cyber security — although some ascribed political motives as the primary reason for the location.

I found it rather ironic that security would be given as the reason for being at Purdue, and yet those of us most involved with those security centers had not been told about the summit or given invitations. It appears that the organizers gave a small number of tickets to the university, and those were distributed to administrators rather than faculty and students working in the topic areas.

I found this all very ironic and interesting, and expressed as much in email to several friends and colleagues — including several who I knew had some (indirect) link to the Senator’s campaign. I had faint hope of getting a ticket, but was more interested in simply getting the word back that there was a misfire in the organization of the event.

Late last night (I was in the office until 6:30) I got a call from someone associated with the Obama campaign. He apologized for the lack of an invitation, and informed me that a ticket was awaiting me at the desk the next day.

The Event

I went over to the Purdue Union at 11:30; the official event was to start at 12. I encountered a number of Purdue administrators in the crowd. Security was apparent for the event, including metal detectors at the door run by uniformed officers, some of whom I believe were with the Secret Service uniformed division. The officers everywhere were polite and cheerful, but watchful. I found a seat in the back of the North Ballroom with about 500 other guests…and nearly as many members of the press, entourage, ushers, protection detail, and so on.

I won’t try to summarize everything said by the Senator and panel — you can find the full video here (in two parts). I will provide some impressions of specific things that were said.

The event started almost on time (noon) with Senator Evan Bayh introducing Senator Barack Obama. Sen. Obama then read from a prepared set of remarks. His comments really resonated with the crowd (I encourage you to follow the link to read them). His comment about how we have been “fighting the last war” is particularly appropriate.

He made some very nice comments about Senator Richard Lugar, the other Senator from Indiana. Senator Lugar is a national asset in foreign policy, and both Senators Obama and Bayh (and former Senator Nunn) had nothing but good things to say about him — and all have worked with him on disarmament and peace legislation. One of the lighter moments was when Senator Obama said that Senator Lugar was a great man in every way except that he was a Republican!

Early in his statement, he deviated from his script as reproduced in the paper, and dropped my name as he was talking about cyber security. I was very surprised. He referred to me as one of the nation’s leading experts in cyber security when he mentioned Purdue being in the lead in this area. Wow! I guess someone I sent my email to pushed the right button (although my colleagues and our students deserve the recognition, as much or more than I do).

His further comments on officially designating the cyber infrastructure as a strategic asset is important for policy & legal reasons, and his comments on education and research also seemed right on. It was a strong opening, and there was obviously a lot in his comments for a number of different audiences, including the press.

Panel Part I

The first 1/3 of the panel discussion was on nuclear weapons issues. The experts present to talk on the issue were (former) Senator Sam Nunn (who joked that in Indiana everyone thought his last name was actually Nunn-Lugar), Senator Bayh, and Dr. Graham Allison, the director of the Belfer Center at Harvard. There was considerable discussion about the proliferation of nuclear materials, the need for cooperation with other countries rather than ignoring them (viz. North Korea and Iran), and the control of fissionable material.

There were some statements that I found to be a bit of hyperbole: For instance, the statement that a single bomb could be made by terrorists to destroy a whole city. Not to minimize the potential damage, but without sophisticated nation-state assistance and machining, a crude fission weapon is about all that a terrorist group could manage, and it wouldn’t be that large or that easy to build. A few tens of kilotons of fission explosion could definitely ruin your day, but a detonation at ground level wouldn’t destroy a whole city of any size. (Lafayette, IN would be mostly destroyed by one, but that isn’t a major city.) Plutonium is too dangerous to handle, so over 100 pounds of U-235 (or U-233) would be needed, and machined appropriately, for such a weapon. Without accelerators and specially shaped charges & containers, getting fission fast enough and long enough is difficult and….well, there is a very serious threat, and the nuances may be lost on the average crowd, but the focus on terrorists building a significant bomb seemed wrong to me.

There were some excellent remarks made about opportunity cost. For instance, the one figure that stood out was that we could fully fund the Nunn-Lugar initiative and some other plans to secure loose nuclear materials by spending the equivalent of 1 month of what we now spend in Iraq over the next 4 years around the world; the war in Iraq is breeding terrorists and making US enemies, while securing loose nukes would help protect generations to come around the world. As both a taxpayer and a parent (as well as someone immersed in defense issues), I know where I would prefer to see the money spent!

One other number given is that currently less than 1/4 of 1% of the defense budget is spent on containing nuclear materials, despite it being a declared priority of President Bush. Professor Allison said that despite grade inflation at Harvard, the President still gets an “F” in this area.

Another interesting factoid stated was that about 10% of the lights in the US are powered by electricity generated from reprocessed fissile material taken from Russian nukes rendered safe under the Nunn-Lugar initiative. That sounds high to me given the amount of nuclear power generated in the US, but even if off by a factor of 10, darned impressive.

Panel Part II

The second part of the panel was on bio weapons. The panelists were Dr. Tara O’Toole of the Center for Biosecurity at Pitt, and Dr. David Relman of Stanford. Their discussion was largely what I expected, about how bio-weapons can be produced by rogue actors as well as rogue states. They made the usual references to plague (with a funny interchange about prairie dogs being carriers, and keeping the Senator’s campaign away from them), anthrax and Ebola.

Again, there was a bit of exaggeration coupled with the dialog. It was pointed out that there has still been no apprehension of the perpetrator of the 2001 anthrax attacks. It was then stated that the anthrax in the envelope sent to Senator Daschle was enough to kill a billion people. No mention was made about how impossible it would be to meter and deliver such dosages in the most appropriate manner to achieve that. In fact, no discussion was made about the difficulty in weaponizing most biological agents, limiting their use as a targeted weapon over a large area. And furthermore, no mention at all was made of chemical weapons.

The conclusion here was that investment in better research and international cooperation was key. The statement was made that better integration of electronic health records would be important, too, although some studies I recall indicate that their utility is probably not so great as some would hope. It was also concluded that benefits in faster medical response and better vaccine production would help in non-crisis times as well. I don’t think we can argue too much with that, although the whole issue of how we pay for medicine and health issues looms large.

Panel Part III

The last panel featured Alan Wade, former CIO of the CIA, and Paul Kurtz of Good Harbor Consulting, speaking on the cyber threat. I’ve known Paul for years, and he is a great person to talk on these issues.

The fact that cyber technology is universal and ubiquitous was highlighted. So was the asymmetry inherent in the area. Some mention was made about how nothing has been done by the current administration until very recently. Sadly, that is clearly the case. The National Strategy in 2002, the PITAC report in 2005, and the CSTB report in 2007 (to name 3 examples) all generated no response. As a member of the PITAC that helped write the 2005 report, I was shocked at the lack of Federal investment and the inaction we documented (I knew it was bad, but didn’t realize until then how bad it was); the reaction from the White House was to dissolve the committee rather than address the real problems highlighted in the report. As one of today’s panelists put it — the current administration’s response has been “…late, fragmented, and inadequate.” Amen.

I was disappointed that so much was said about terrorism and denial of service. Paul did join in near the end and point out that alteration of critical data was a big concern, but there was no mention of alteration of critical services, about theft of intellectual property, about threats to privacy, or other more prominent threats. Terrorism online is not the biggest threat we face, and we have a major crisis in progress that doesn’t involve denial of service. We need to ensure that our policymakers understand the scope of the threat.

On the plus side, Senator Obama reiterated how he sees cyber as a national resource and critical infrastructure. He wants to appoint a national coordinator to help move protection forward. (If he is elected I hope he doesn’t put the position in DHS!)

Paul pointed out the need for more funds for education and research. He also made a very kind remark, mentioning me by name, and saying how we were a world-class resource built with almost no funding. That’s not quite true, but sadly not far off. I have chafed for years at how much more we could do with even modest on-going support that wasn’t tied to specific research projects….

Conclusions

I was really quite impressed with the scope of the discussion, given the time and format, and the expertise of the panelists. Senator Obama was engaged, attentive, and several of his comments and questions displayed more than a superficial knowledge of the material in each area. Given our current President referring to “the Internets” and Senator McCain cheerfully admitting he doesn’t know how to use a computer, it was refreshing and hopeful that Senator Obama knows what terms such as “fission” and “phishing” mean. And he can correctly pronounce “nuclear”! His comments didn’t appear to be rehearsed — I think he really does “get it.”

(Before someone picks on me too much…. I believe Senator McCain is an honorable man, a dedicated public servant, and a genuine American hero. I am grateful to have people like him intent on serving the public. However, based on his comments to the press and online, I think he is a generation out of date on current technology and important related issues. That isn’t a comment related to his age, per se, but to his attitude. I’d welcome evidence that I am mistaken.)

Senator Obama is a great orator. I also noticed how his speed of presentation picks up for the press (his opening remarks) but became more conversational during the panel.

Senator Obama kept bringing the panel back to suggestions about what could be done to protect the nation. I appreciated that focus on the goal. He also kept returning to the idea that problems are better solved early, and that investments without imminent threat are a form of insurance — paying for clean-up is far greater than some prudent investment early on. He also repeatedly mentioned the need to be competitive in science and technology, and how important support for education is — and will be.

After the session was over, I didn’t get a chance to meet any of the campaign staff, or say hello to Paul. I did get about 90 seconds with Senator Bayh and invited him to visit. After my name had been mentioned about 3 times by panelists and Senator Obama, he sort of recognized it when I introduced myself. We’ll see if he follows up. I’ve visited his office and Senator Lugar’s, repeatedly, and neither have ever bothered to follow up to see what we’re doing or whether they could help.

Several people in the audience commented on my name being mentioned. I’m more than a little embarrassed that they didn’t refer to CERIAS and my colleagues, and in fact I was the only Purdue person mentioned by name during the entire 2 hours, and then it happened multiple times. I’m not sure if that’s good or not — we’ll see. However, as P.T. Barnum said, there’s no such thing as bad publicity … so long as they spell my name correctly. None of the local or national press seem to have picked it up, however, so even spelling isn’t an issue.

The press, in fact, hasn’t seemed to focus on the substance of the summit at all. I’ve read about 15 accounts so far, and all have focused on his choice of VP or the status of the campaign. It is so discouraging! These are topics of great importance that are not well understood by the public, and the press simply ignores them. Good thing Angelina Jolie gave birth earlier in the week or the summit wouldn’t have even made the press.

I wish more of the population would take the time to listen to prolonged discussion like this. 15-second sound bites serve too often as the sole input for most voters. And even then, too many are insufficiently educated (or motivated) to understand even the most basic concepts. I wonder if more than 5 people will even bother to read this long a post — most people want blogs a single page in length.

As for my own political opinions and voting choices, well, I’m not going to use an official Purdue system to proselytize about items other than cyber security, education, research and Purdue. You can certainly ask me if you see me. Now, if only I had confidence in the electronic voting equipment that so many of us are going to be forced to use in November (hint: I’m chair of the USACM).

Last Tongue-in-Cheek Word

And no, I’m not particularly interested in the VP position.