Increasingly, this election is becoming a referendum on how much our President needs to know about technology to be effective.  I’ve already made fun of John McCain’s utter incomprehension of  the intertubes, and made clear my concern that our next president have at least a basic understanding of how the modern world works.

Today, Barack Obama demonstrated that he gets it, and in the process also showed just how far apart he and McCain are when it comes to technology.  In a speech at Purdue University in Lafayette Indiana, Obama outlined how he would prepare for a future cyber war:

As President, I’ll make cyber security the top priority that it should be in the 21st century. I’ll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information - from the networks that power the federal government, to the networks that you use in your personal lives.

To protect our national security, I’ll bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power. Fortunately, right here at Purdue we have one of the country’s leading cyber programs. We need to prevent terrorists or spies from hacking into our national security networks. We need to build the capacity to identify, isolate, and respond to any cyber-attack. And we need to develop new standards for the cyber security that protects our most important infrastructure - from electrical grids to sewage systems; from air traffic control to our markets.

I think Obama’s speech does a good job of recognizing the reality of cyber threats, and he deserves credit for that.  I do wish he placed less emphasis two of the politician’s favorite dodges:  appointing a czar to manage a key issue and naming a commission to study it.

But even he’s not painting a complete picture.  It’s not just about what “they” can do to us.  It’s also about what we have done to ourselves.

Let’s start with  four critical factors that Obama overlooked.  Two involve the technology itself and two involve the people chosen to design, manage, and implement the systems we put in place.

A.  Technology

1.  Our current cyber-security infrastructure is built on antiquated legacy systems that desperately need upgrading.  The degree to which this is true varies from agency to agency (which also is a problem).  To put it another way, all over the government, there are lanes on the internet superhighway with car-eating potholes and bridges to the 21st century that are on the verge of collapse.

2.  Six years after 9/11 interoperability and inter-agency (and sometimes intra-agency) communications remain serious problems.  This is not just an issue of systems being able to talk to one another, but also a question of proper systems integration and coordination. And that doesn’t even address the challenge of getting agencies to stop using good systems just to wall themselves off from the rest of the government.

B.  People

3.  Unles we seriously upgrade both recruitment and compensation, the US Government does not have the resources to hire the best and the brightest away from the private sector.  A National Cyber Advisor is a good start, but what is really needed is a Cyber Corps capable of identifying and solving serious technological, technical, and interoperabilty challenges.

4.  We desperately need to rewire our people as well, giving them the mental models they need to utilize rather than just apply technological solutions.  The existing heavily bureaucratic and rules-based (as opposed to values-based) approach prevalent in most government agencies generates outcomes that short-circuit even the best technology.

To make matters worse, these problems don’t operate in isolation from another.  Instead, they often combine to create new challenges while doing nothing to solve the old ones.  Let me cite just one example:  the national terrorist watch list, which the government started as part of its response to 9/11.  Today, according to the ACLU, that list contains more than a million names.  Does anybody in the government seriously think that there are that many terrorists in the world?

So what happened here?  Frankly, I don’t know for sure — I’m neither familiar with the database nor privy to how it has been used.  And let me emphasize once again that I am not an expert on technology, security, or how the government works.  But if I were to speculate, I’m guessing that this is how events played out:

• To create the database, the U.S. Government issued a request for proposals and subsequently hired a contractor, probably the lowest bidder.  Since the USG did not pay top dollar and relied on an outside source, chances are that the company ultimately responsible for building the database did it in a way that minimized effort and maximized profit.
• When the system was installed, the people who were to use the database received only minimal training — how to enter suspects, how to look up names, etc.  No one inside or outside the government was shown how to use the database’s dynamic qualities, and no one actually doing the data input was taught to think about what they were doing.
• Once the system was up and running, multiple agencies simultaneously added names to the database, probably with minimal inter-agency consultation or cooperation.  The end result was that no one paid any attention to what anyone else was doing.  According to an October 2007 report by Glenn Fine, the Justice Department Inspector General, an average of 20,000 new names get added every month.
• To minimize hassle and maximize ease of use, no safeguards were installed either to protect civil liberties or address the due process implications of say, having two John Smiths in the database but ten thousand John Smiths trying to get on flights.
• As a result, those using the database to check for terrorists only know that they have a match, with no capacity to ferret out false positives and mistaken identities.
• Since the system is designed only to penalize those who don’t obey the rules, those using the system have absolutely no incentive to help those inadvertently identified as terrorists.
• Once someone is in the system, there is little or no recourse for them to get their name removed, condemning them to a permanent negative feedback loop involving unnecessary delays, futile searches, and ritualized humiliation.
• And since multiple agencies means no responsibility, there’s no accountability. No one is in charge.
• The end result is a database not only functionally useless, but actually a real hindrance to ferreting out real terrorists.

If Senator Obama really wants us to be prepared for external attacks, he first has to make sure our own hose is in order.  That will require him — and his new Cyber Advisor — to move beyond the very real threat of cyber-terrorism to address the far more prevalent challenges caused by a broken system.

I’ll be interested to see whether John McCain has a response to this.  I’m afraid that when he does, however, he just might confuse the idea of cyber war with Cylon War.  And then we’d end up in a 100-year war against the robots.  You gotta think that won’t end well.

Related posts

• Twenty Questions for the Debate Tonight
• The Manchurian President
• Thank You David Axelrod. . .for Annoying Everyone
• I Can See Al-Qaeda from My House
• Citizens of the World, Remember