So here's a Cyber Security strategy that would work. It's as anti- competitive as you can get and has a snowball's chance in hell of being adopted. It's downright Machiavellian. Or, perhaps, Napoleonic:

1. Make it illegal to sell a PC that doesn't come with a fully-licensed Antivirus product and personal firewall pre-installed on it.
   
   
2. Standardize government Infosec products in use on a best-of-breed basis like any FORTUNE 500 company would - across all federal computers.
   
   
3. Terminate federal employees and their supervisors if they are proven responsible for security breaches due to their negligence.
   
   
4. Spend a few million dollars (or use some internal resources) to code a government-issue personal firewall and anti-virus product. Give it away. Standardize on it. Make it available to ISPs. Writing firewalls isn't hard. I've written two single-handedly.
   
   
5. Establish a standard firewall configuration policy (e.g.: a site security policy) for all internet-connected federal agencies and adhere to it rigorously. 99% of the government's security problems result from incompatible policies and lax enforcement. FORTUNE 500 firms get this right; the taxpayers' employees should do no less.

So it's anti-competitive and Machiavellian. National defense always is.

Don't sweat consensus. Lead.

Marcus Ranum, the man behind SEAL - the first commercial firewall, Gauntlet - another early commercial firewall, and NFR - the first commercial intrusion detection platform, comments on the lack of teeth in Bush's Cybersecurity Plan, and offers a plan of his own.