by Robert Bloomfield

Longtime followers of Metanomics know I often rely on the standard business-school rubric of identifying opportunities and challenges. For this Wednesday’s show, I am expecting guest Paulette Robinson to make a strong case for the opportunities virtual worlds present to federal agencies, while her NDU colleague Robert (Rocky) Young will throw out a wet blanket by pointing out that current virtual worlds are almost fatally insecure. (As you can see in the related shows list, Paulette has been on the show before to talk about the Federal Consortium for Virtual Worlds, back in early 2008—I am looking forward to an update. And Dan Miller, back in October of 2007 discussed some virtual world policy issues, but mostly on the economic side.)

Rocky seems to think virtual worlds are only slightly more insecure than other technologies. (Expect to hear some scathing criticisms of Skype.) In keeping with his view that cybersecurity experts are the ‘NO’ people, you can look forward to Rocky presenting a truly terrifying view of everyone’s vulnerability to determined hackers, no matter what applications they use.

Still, virtual worlds present wonderful new ways to expose yourself to harm. According to Rocky, that freebie outfit you got from an avatar you think you know could be all a scheming hacker (or foreign agent) needs to compromise your virtual world account, allowing them to make your avatar say or do whatever they want. What’s more, it can give them direct access to your entire system. You don’t use the same computer for Second Life and online banking, do you? Or access your company’s or agency’s network drives?

A few minutes on the phone with Rocky will leave you pining for the days of stone tablets. For me, the pre-interview clarified two trade-offs: how much convenience are we willing to sacrifice for personal security, and how much privacy are we willing to sacrifice for confidence that our public infrastructure is secure? (If the latter seems surprising, think about the private citizen who uses their personal laptop to work on files for their job at the electric utility company.)

Not surprisingly, the tech-oriented Obama administration is on the case, working with some moderate Senators to introduce S. 773, a cybersecurity act that would give the Commerce Secretary some new powers. If you are concerned about government intrusion, start your engines with Section 14, the Public-Private Clearinghouse:

The Secretary of Commerce…shall have access to all relevant data concerning [Federal Government and private sector owned critical infrastructure information systems and networks] without regard to any provision of law, regulation, rule, or policy restricting such access….[ and establish] the criteria in which private sector owners of critical infrastructure information systems and networks shall share actionable cybersecurity threat and vulnerability information and relevant data with the Federal Government

The blogosphere already sees the hand of big brother here, and I can see their point. But as an Accounting professor, the act as a whole reminds me strongly of Sarbanes-Oxley (SOX). SOX required firms to shore up their internal controls (which prevent fraud), with auditors required to attest to internal control strength. Corporations—especially mid-sized ones that lacked the resources for such extensive investment in administration—squealed loudly, and there is evidence that many such companies delisted from US markets, opting to go private, or list in European markets.

773 gives us a whole new class of security standards, and Section 7 creates a new industry of security professionals:

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

Just as SOX was viewed as the Accountants’ Full Employment Act, you might see S. 773 as serving the same role for security professionals. (Did I mention the bill includes a lot of money for scholarships and research?).

I am not nearly informed enough to hazard an opinion on these proposals—I can see the merits and the risks. Fortunately, we will have this week’s Washington correspondent on the show, Sterling Wright, who will take our ‘In the Spotlight’ Session to give all of us some perspective on the issues.

If you have any thoughts our questions, please chime in so that we can integrate them into Wednesday’s conversation.