I'd like to share with everyone a letter I wrote in January 2012 as part of an application to the White House Fellowship program (my application was turned down).
I believe that a national cyber security education and protection program should be established. This program would not only target cyber security professionals, but all Americans, especially the average home or business user, and owners of critical infrastructure such as power, phone, gas, and water.
Most cyber attacks are launched from networks of compromised systems, called botnets. A system normally becomes compromised due to a user’s lack of proper security controls and procedures, including missing or out of date antivirus software, missing or disabled firewall software, or missing vendor security patches. These factors combined with lack of understanding how systems become infected with malware results in the average user’s system becoming infected. Most malware infections could be prevented through basic user education.
The Federal Information Security Management Act (FISMA) does an excellent job of holding Federal agencies and contractors responsible for the security status of their computer systems. However, FISMA provides no guidance for the private sector or home users. Payment Card Industry (PCI) provides requirements and guidance for the private sector when dealing with credit card transactions, but this does not apply to many businesses. As long as security guidance is lacking in the home and private sector, continued malware infections will threaten the entire United States, including Federal systems. Infected private systems can be used as “cyber weapons” to attack government systems, steal financial details, and possibly even disrupt critical infrastructure.
A national cyber security education and protection program would:
- Raise user awareness on the necessity of antivirus and firewall computer security software, as well as the need to install vendor security patches.
- Educate users on the threats which can be encountered online, and how to protect themselves.
- Protect critical infrastructure through regulatory requirements designed to prevent attacks against power, phone, gas, and water services.
It is my belief that through guidance and critical infrastructure regulation, users can become aware of the critical threats against their computer systems, and how to protect themselves. After all, a threat to one system is a threat to all systems.
Link to Original Letter
I'm very anxious to see how my letter compares with the actual executive order once it has been released.