Federal Priorities and Cybersecurity

A recent New York Times article on the cybersecurity posture of the U.S. government (U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push) had the following paragraph:

Even senior White House officials acknowledge how much remains to be done. “It’s safe to say that federal agencies are not where we want them to be across the board,” Michael Daniel, Mr. Obama’s top cybersecurity adviser, said in an interview. He said the bureaucracy needed a “mind-set shift” that would put computer security at the top of a long list of priorities. “We clearly need to be moving faster.”

The sentiment underlying this paragraph is understandable, but it really doesn’t make sense that we should strive “to put computer security at the top of a long list of priorities.” Why? Because we also want the U.S. government to get its work done, and the most robust computer security posture for the U.S. government would be to abandon the use of computers entirely. A proper expression of this sentiment would be something like “to put computer security at the top of a long list of priorities, consistent with getting done the work the U.S. government needs to do.”

Mike Daniel was not quoted in the story with the words “at the top of a long list,” and I don’t believe for a minute that he doesn’t recognize the tension between getting work done and computer security. But the sentiment expressed is all too typical of expectations (most particularly from the U.S. Congress) that government should be both more efficient and also more secure. Such expectations don’t recognize the efficiency-security tradeoff, which is in fact central to the policy conundrum.

It may be good politics for Congress to criticize government insecurity and government inefficiency on alternate days of the week, but it’s not sound policy. If we want to improve security, we will have to accept a lower level of efficiency, at least temporarily. That’s just reality.