Short-Term Recommendation 5.2: Promote the use of best practices in information and network security throughout all relevant public agencies and private organizations.
Nearly all organizations, whether in government or the private sector, could do much better with respect to information and network security than they do today simply by exploiting what is already known about that subject, as discussed at length in Cybersecurity Today and Tomorrow: Pay Now or Pay Later.12 (For example, many technologies for securing IT systems, such as encryption, secure authentication, and the use of private networks for critical communications, are available but not widely deployed.) Those responsible for requiring and implementing such changes range from chief technical (or even executive) officers to system administrators. There is currently no clear locus of responsibility within government to undertake such “promotion” across the private sector—information and network security there is not subject to government regulation—nor even across government itself. The Office of Management and Budget has sought to promote information and network security in the past, but despite its actions the state of information and network security in government agencies remains highly inadequate. In the final analysis, even though the market has largely failed to provide sufficient incentives for the private sector to take adequate action with respect to information and network security, it is likely that market mechanisms will be more successful than regulation in improving the security of the nation’s IT infrastructure, though they have yet to do so. The challenge for public policy is to ensure that such market mechanisms develop.
Short-Term Recommendation 5.3: Ensure that a mechanism exists for providing authoritative IT support to federal, state, and local agencies that have immediate responsibilities for responding to a terrorist attack.
One option is to place the mechanism administratively in existing government or private organizations (e.g., the National Institute of Standards and Technology, the Office of Homeland Security, the Department of Defense, or the Computer Emergency Response Team of the Software Engineering Institute at Carnegie Mellon University); and a second option is to create a national body to coordinate the private sector and local, state, and federal authorities.13 In the short term, a practical option for providing emergency operational support would be to exploit IT expertise in the private sector, much as the armed services draw on the private sector (National Guard and reserve forces) to augment active-duty forces during emergencies. Such a strategy, however, must be a complement to a