The report is called “Securing Cyberspace for the 44th Presidency,” and one paragraph in its opening section succinctly sets forth the Internet-related challenges awaiting President-elect Barack Obama.
“Cybersecurity is now a major security problem for the United States,” the Center for Strategic and International Studies commission report begins. “Decisions and actions must respect privacy and civil liberties, and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.”
The commssion’s major strategy recommendations to help with those goals are wide-ranging:
- Create a White House office — Assistant to the President for Cyberspace — to coordinate responses to cyberthreats across domestic, intelligence, military and economic elements of the government;
- Give that office jurisdiction over cybersecurity elements in the Department of Homeland Security along with the National Cybersecurity Center and the Joint Inter-Agency Cyber Task Force.
- Update laws to reflect 21st-century technologies;
- Regulate cyberspace in a way that walks the tightrope between free markets and government mandates;
- Make sure the U.S. government — the biggest buyer of IT products — is purchasing the best, most secure software and hardware;
- Spend more money on cybersecurity research, development and education.
The CSIS commission began its report last year following a wave of digital break-ins at the Pentagon and other federal agencies, with some of those intrusions traced to foreign sources. The commissions members include many current and former government security officials, as well as representatives from Microsoft, Oracle, IBM, Cisco Systems and AT&T.
“Our research and interviews for this report made it clear that we face a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals and others,” the commission’s report states, “and that this struggle will wreak serious damage on the economic health and national security of the U.S. unless we respond vigorously.”
A Former U.S. Cybersecurity Czar Weighs In
Howard Schmidt served on the CSIS commission and brings with him a unique perspective on how the U.S. government has dealt with cyber-threat strategies. Currently the president and CEO of Information Security Forum, a UK-based data risk management company, he was President Bush’s first cybersecurity czar immediately following the Sept. 11, 2001 attacks. He left in March 2003 and the position became a revolving door of sorts for private sector security experts in the Bush administration. How will the establishment of a new cybersecurity point person in an Obama administration be any different?
“When I was there, the intent was for a temporary position, to look at ways to operationalize the issues around cyberspace in what was then the new Department of Homeland Security,” Schmidt told TechNewsWorld. “And while there were some of us who felt that should have been a permanent position because it’s such a critical asset, nationally and internationally, for someone to look at the full spectrum of things because of the way our society depends on the Internet, it was just a temporary position. This would be an office empowered to be a permanent part of the infrastructure.”
Schmidt believes that cooperation will be key; not just between the various government agencies, but between the government and the private sector segments that now have such a crucial business stake in the Internet. He points to the market forces that helped crack down on e-mail phishing — filters set up by ISPs, e-mail clients and Web browsers — as an example of private sector improvements that didn’t rely on government mandates. But those may be coming too, Schmidt warned. “Look at the telecommunications industry and the ability to give them the legal authority to block malware, which doesn’t exist. There’s software development and the requirement to make it less vulnerable by using better coding processes. That’s part of a regulatory scheme.”
Candidate Obama spent a lot of time talking up the promise of technology during the campaign, with promises to appoint a U.S. chief technology officer, focus on wider broadband access and look at putting more healthcare records online. Schmidt believes a tech-friendly Obama will embrace the commission’s findings.
“From everything I’ve seen and dialogues I’ve had with people working on the transition, they’ve been very keen to say, ‘We want to make real change, meaningful change,'” Schmidt said. “Part of that is looking at new, fresh ideas, and that’s what this report is. Will all the recommendations be adopted? Of course not, but the bottom line is it’s a place to start having the discussion, to start figuring out what’s workable and how we can strengthen the nation through effective, meaningful change, and making it a national priority rather than just something we’ll worry about.”
The Need for International Cooperation
A lot of the worry in the security community comes from the increasing number of attacks from foreign shores, particularly Russia and China. A cyber-strategy that melds diplomatic initiatives with military responses will be helpful in mitigating those threats, Gary Moore, chief architect at Dallas-based security company Entrust, told TechNewsWorld.
“Over 80 percent of the attacks are coming from outside the country, so where does that border stop and what sort of power can be used outside the border?” Moore asked. “We don’t have cooperative agreements with most of the countries that would allow us to be able to go in after the cyberattackers. It’s challenging enough to go after physical crimes overseas. When we talk about cybercrimes, it adds that much more complexity. A lot of these countries where these bad guys are based don’t have cybersecurity infrastructures.”
Moore is encouraged that one part of the commission’s report includes a section titled, “Don’t Start Over.” The section refers to the Bush administration’s Comprehensive National Cybersecurity Initiative, but another holdover project, the Critical Infrastructure Protection Program, could also be beneficial. “This allowed the U.S. to go out and discuss with other countries that the threat is not just ours,” he said. “The threat is to global commerce. We’ve seen what happens when you lose a physical cable in the Mediterranean. The impact on global commerce from a cyberattack on the U.S. would be significant. The ability to talk to other countries in open forums is hugely beneficial. I’m hoping that something like this new office would allow the reincarnation of those types of discussions with these countries where we have those concerns.
“If you look at Russia, you’re almost talking about a new cyber Cold War, given the political relationships that exist today,” Moore said. “And with the threat coming out of Russia in terms of organized crime, we face some real challenges if we can’t get cooperation out of the Russian government.”