-- Marvin the paranoid android from The Hitchhiker's Guide to the Galaxy by the late Douglas Adams.
I have a cold. Nothing big, just a dash of good ol' rhinovirus (part of the Picornaviridae family ... pico meaning small and rna signifying that these are single-stranded positive sense rna viruses.) And one thing that colds tend to do to me is interrupt my sleeping pattern. I got about three hours last night -- which tends to make me cranky and gloomy.
Actually, it isn't just the cold that's making me gloomy, it also is a consequence of reading the draft report The National Strategy to Secure Cyberspace issued last week by President Bush's Critical Infrastructure Protection Board.
<digression>Can anyone tell me why the report is a PDF file? Why was it laid out in landscape format so that unless you have one of those rotating monitors you pretty much have to print it out to read it? Why not publish in HTML? Why not make it a richly linked, vibrant evolving document? Why keep thinking in terms of paper? And of course because of paper thinking there's at least one URL (see page two of the report) that is wrong: they have a hyphen in www.securecyberspace.gov.</digression>
The report is a fine example of some very smart people tackling an enormously complex problem in a hugely political context.
The recommendations of the report are predictable, ponderous and mired in bureaucratic thinking. For example, from page three under Case for Action -- Key Themes: "The nation's economy is increasingly dependent on cyberspace; this has introduced unknown interdependencies and single points of failure." The report has no comment on how the problems of unknown interdependencies and single points of failure should be addressed.
Taskforces for this, committees for that, but nothing concrete. The result is more soapboxing than action. And we can draw several conclusions from this.
First, without laws that impose legal obligations on network and computer owners, all that the "plan" can offer are best practices.
Second, when it comes to computers and networking, best practices quickly become obsolete, and are only very generally applicable.
Third, whether a best practice actually can be followed depends on the situation.
Fourth, from conclusions two and three, we can deduce that any person or organisation that fails to implement a best practice can usually claim extenuating circumstances.
What we have at work here are a number of competing factors that make for an intractable problem: we can't legislate because network security is too complex to frame meaningful laws about and, even if we could, it is too politically charged to do so (the gods be praised).
And we can't leave the problem to be solved through corporate belief in community responsibility or enlightened self-interest because we don't believe such things generally exist in corporate circles.
And just consider that, as all this infrastructure protection talk is going on, we still have that lunatic, California Congressman Howard Berman, who I have written about as sponsoring legislation so that big business (for example, the big five record companies) can go and hack suspected copyright pirates with impunity.
The scale of the problem is way beyond our ability to understand it (I have banged on about complexity in the past.)
The government needs to get its own house in order and leave the private sector to do what it does best -- look out for its own interests.